Technical breakdown of the exploit
The attacker exploited a vulnerability allowing the creation of markets without thorough token verification. They deployed a malicious token named ssl-labubu-672d3, which contained a deceptive transfer function within its smart contract. Subsequently, the attacker set up a liquidity pool pairing this malicious token with legitimate assets such as Stacks (STX).
Due to insufficient verification controls in the ALEX Protocol system, the attacker manipulated permissions using the set-approved-token function, unintentionally granting their malicious contract vault-level access. With these permissions, the attacker activated a specific function (set-enable-farming) that enabled the malicious transfer capability.
During routine token swap operations (swap-x-for-y), the legitimate ALEX Protocol contracts inadvertently triggered the malicious transfer function within the attacker’s token contract. Weak internal checks resulted in the protocol mistakenly identifying the vault itself as initiating the transfers, allowing the attacker to withdraw significant amounts of tokens.
Summary of stolen assets
The following assets were compromised:
- Approximately 8.4 million Stacks tokens, equivalent to roughly $5.69 million USD.
- 21.85 Stacks Bitcoin tokens, valued at about $2.24 million USD.
- Stablecoins (USDC and USDT) totaling around $149,850 USD.
- 2.8 Wrapped Bitcoin tokens worth approximately $287,000 USD.
The total loss was estimated at approximately $8.3 million USD, though additional reports indicated losses could be as high as $16.18 million when including stolen aBTC, STX, sUSDT, and ALEX tokens.
ALEX Protocol’s response and reimbursement
Following the incident, the ALEX Lab Foundation pledged full reimbursement to all affected users using USDC from its treasury. Reimbursement amounts were based on average on-chain exchange rates recorded between 10:00 AM and 2:00 PM UTC on the day of the exploit.
Affected users received on-chain notifications regarding claim submissions by June 8, 2025. Claims were required to be submitted by June 10, 2025, with reimbursements distributed within seven business days after verification.
Previous security incidents
This exploit was not an isolated event. In May 2024, ALEX Protocol faced a $4.3 million breach linked to the Lazarus Group. Repeated security incidents underscore broader systemic security challenges in DeFi, especially regarding complex smart contract interactions and bridge vulnerabilities.
Key lessons and preventive measures
This incident highlights critical measures required to safeguard DeFi protocols:
- Implement robust verification and permission controls
Protocols must enforce rigorous token verification processes and stringent permission management to avoid unauthorized access. - Comprehensive smart contract audits
Regular and comprehensive audits of all protocol code, including legacy code, by reputable security firms are essential to proactively detect vulnerabilities. - Real-time onchain monitoring
Guardrail emphasizes the importance of real-time onchain monitoring. Our platform instantly detects suspicious activities, triggers timely alerts, and enables immediate response actions to significantly reduce exploit risks. - Establish clear emergency response protocols
Protocols should integrate multi-signature emergency controls and clearly defined rapid-response plans to promptly mitigate damage when security incidents occur. - Transparency and maintaining community trust
Transparent communication, coupled with well-structured reimbursement strategies, is essential to maintaining trust and confidence within the user community following breaches.
Conclusion
The ALEX Protocol exploit is a compelling reminder of the necessity for robust security practices and continuous vigilance in DeFi ecosystems. By prioritizing comprehensive verification, regular auditing, and utilizing Guardrail for real-time web3 security monitoring, protocols can substantially enhance their security posture and effectively protect user assets.
