The ALEX DeFi protocol based on the Stacks blockchain was compromised due to a logic vulnerability, losing nearly $8.4 million. The ALEX Foundation responded quickly and promised full compensation. (Synopsis: Ethereum Pectra upgrades "hacker flip", Wintermute warns: EIP-7702 automates the deployment of a large number of contracts) (Background supplement: Microstrategy open-chain reserve proof PoR, Michael Saylor: public address is too stupid, making hackers easy to snipe) ALEX, a decentralized financial protocol based on the Stacks blockchain, was hacked on the 6th due to a self-listing logic vulnerability $8.37 million in funds stolen. The ALEX Lab Foundation responded quickly by announcing that it would use the treasury to fully compensate all affected users. Hackers exploit vulnerability to steal nearly $8.4 million The attackers exploited a logical flaw in the self-listing mechanism in the ALEX protocol to withdraw large amounts of money from multiple asset pools. Specific losses included 8.4 million STXs ( approximately $5.69 million ), 21.85 sBTCs ( approximately $2.24 million ), 149,850 USDC/USDT ( approximately 14.98 $10,000 ) and 2.80 WBTC/BTC ( about $287,400 ). The ALEX platform has suspended all services immediately upon discovery of the attack to contain the damage and launch an investigation. ALEX Foundation Commits Full Indemnification and Announces Plan The ALEX Lab Foundation announced its compensation plan on June 7, committing to fully compensate users for losses in USDC. The compensation amount will be calculated based on the average of the on-chain exchange rates between 18:00 and 22:00 on June 6, 2025. According to the Foundation, all affected wallet addresses will be notified and the claim form will be received by 7:59 (UTC) June 9, 2025, users will be required to submit by 7:59 (UTC) on June 11, and USDC will be sent within 7 business days after confirmation. On June 6, 2025, ALEX Protocol was exploited via a flaw in the self-listing verification logic (an on-chain limitation on Stacks). As a result, the attacker drained several asset pools, with the breakdown of lost assets as follows: STX: 8,403,867.57 STX → $ 5,691,255.93 sBTC:… — ALEX No. 1 Bitcoin DeFi (@ALEXLabBTC) June 6, 2025 Anatomy of a Security Expert Slow Mist Technology (SlowMist) Founder Cosine Analysis pointed out that the core of the vulnerability lies in the fact that the protocol does not verify the compatibility of failed transactions. "This attack cleverly exploits a logic flaw in the self-listing mechanism, allowing attackers to bypass the normal verification process and directly transfer funds from the liquidity pool," he said. Such logic vulnerabilities are more difficult to routinely audit than simple program errors." Cosine also mentioned that the ALEX protocol lost millions of dollars last year due to the leakage of private keys. It is worth noting that three weeks before the attack, the Clarity Alliance's security review report had pointed out that ALEX Lab had multiple low- and medium-risk vulnerabilities, such as liquidity token compliance and lack of minimum amount checks when removing liquidity, but these warnings did not appear to have been addressed in a timely manner. Related reports China offers a reward of 10,000 yuan for Taiwan's "hacker army", and the information security community laughs: This amount is stuffed between the teeth? Steal $2.1 billion in half a year! Information Security Report: The focus of hacking attacks has shifted from smart contracts to general users, four tricks to teach you to protect crypto assets BitoPro responds to hacker attacks! In May, the transfer of hot wallets was stolen, and sufficient reserves did not affect operations at all 〈The ALEX protocol on Stacks was hacked, losing $8.37 million! The foundation promises full compensation" This article was first published in BlockTempo's "Dynamic Trend - The Most Influential Blockchain News Media".
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
The ALEX protocol on Stacks was hacked, resulting in a loss of 8.37 million USD! The foundation promises full compensation.
The ALEX DeFi protocol based on the Stacks blockchain was compromised due to a logic vulnerability, losing nearly $8.4 million. The ALEX Foundation responded quickly and promised full compensation. (Synopsis: Ethereum Pectra upgrades "hacker flip", Wintermute warns: EIP-7702 automates the deployment of a large number of contracts) (Background supplement: Microstrategy open-chain reserve proof PoR, Michael Saylor: public address is too stupid, making hackers easy to snipe) ALEX, a decentralized financial protocol based on the Stacks blockchain, was hacked on the 6th due to a self-listing logic vulnerability $8.37 million in funds stolen. The ALEX Lab Foundation responded quickly by announcing that it would use the treasury to fully compensate all affected users. Hackers exploit vulnerability to steal nearly $8.4 million The attackers exploited a logical flaw in the self-listing mechanism in the ALEX protocol to withdraw large amounts of money from multiple asset pools. Specific losses included 8.4 million STXs ( approximately $5.69 million ), 21.85 sBTCs ( approximately $2.24 million ), 149,850 USDC/USDT ( approximately 14.98 $10,000 ) and 2.80 WBTC/BTC ( about $287,400 ). The ALEX platform has suspended all services immediately upon discovery of the attack to contain the damage and launch an investigation. ALEX Foundation Commits Full Indemnification and Announces Plan The ALEX Lab Foundation announced its compensation plan on June 7, committing to fully compensate users for losses in USDC. The compensation amount will be calculated based on the average of the on-chain exchange rates between 18:00 and 22:00 on June 6, 2025. According to the Foundation, all affected wallet addresses will be notified and the claim form will be received by 7:59 (UTC) June 9, 2025, users will be required to submit by 7:59 (UTC) on June 11, and USDC will be sent within 7 business days after confirmation. On June 6, 2025, ALEX Protocol was exploited via a flaw in the self-listing verification logic (an on-chain limitation on Stacks). As a result, the attacker drained several asset pools, with the breakdown of lost assets as follows: STX: 8,403,867.57 STX → $ 5,691,255.93 sBTC:… — ALEX No. 1 Bitcoin DeFi (@ALEXLabBTC) June 6, 2025 Anatomy of a Security Expert Slow Mist Technology (SlowMist) Founder Cosine Analysis pointed out that the core of the vulnerability lies in the fact that the protocol does not verify the compatibility of failed transactions. "This attack cleverly exploits a logic flaw in the self-listing mechanism, allowing attackers to bypass the normal verification process and directly transfer funds from the liquidity pool," he said. Such logic vulnerabilities are more difficult to routinely audit than simple program errors." Cosine also mentioned that the ALEX protocol lost millions of dollars last year due to the leakage of private keys. It is worth noting that three weeks before the attack, the Clarity Alliance's security review report had pointed out that ALEX Lab had multiple low- and medium-risk vulnerabilities, such as liquidity token compliance and lack of minimum amount checks when removing liquidity, but these warnings did not appear to have been addressed in a timely manner. Related reports China offers a reward of 10,000 yuan for Taiwan's "hacker army", and the information security community laughs: This amount is stuffed between the teeth? Steal $2.1 billion in half a year! Information Security Report: The focus of hacking attacks has shifted from smart contracts to general users, four tricks to teach you to protect crypto assets BitoPro responds to hacker attacks! In May, the transfer of hot wallets was stolen, and sufficient reserves did not affect operations at all 〈The ALEX protocol on Stacks was hacked, losing $8.37 million! The foundation promises full compensation" This article was first published in BlockTempo's "Dynamic Trend - The Most Influential Blockchain News Media".