Based on the Stacks blockchain, the decentralized finance protocol ALEX was hacked on the 6th, with approximately 8.37 million USD stolen due to a self-listing logic vulnerability. ALEX Lab Foundation quickly responded, announcing that they will use the treasury to fully compensate all affected users.
Hacker Uses Vulnerability to Steal Nearly 8.4 Million USD
The attacker exploited a logical flaw in the ALEX protocol's self-listing mechanism, extracting large amounts of funds from multiple asset pools. Specific losses include 8.4 million STX (approximately 5.69 million USD), 21.85 sBTC (approximately 2.24 million USD), 149,850 USDC/USDT (approximately 14,980 USD), and 2.80 WBTC/BTC (approximately 28,740 USD). The ALEX platform immediately suspended all services upon discovering the attack to control damage and launch an investigation.
ALEX Foundation Promises Full Compensation and Announces Plan
ALEX Lab Foundation announced a compensation plan on June 7th, promising to fully compensate user losses in USDC.
The compensation amount will be calculated based on the average on-chain exchange rate between 18:00 and 22:00 on June 6th, 2025.
The foundation stated that all affected wallet addresses will be notified and receive claim forms before 7:59 AM (UTC) on June 9th, 2025. Users must submit claims before 7:59 AM (UTC) on June 11th, and USDC will be sent within 7 working days after confirmation.
Security Experts Analysis
SlowMist founder Yu Xin analyzed that the core of the vulnerability lies in the protocol's lack of compatibility verification for failed transactions. He stated:
"This attack cleverly exploited a logical flaw in the self-listing mechanism, allowing attackers to bypass normal verification processes and directly transfer funds from liquidity pools. Such logical vulnerabilities are more difficult to detect through conventional audits compared to simple programming errors."
Yu Xin also mentioned that the ALEX protocol previously suffered a million-dollar loss due to private key leakage. Notably, three weeks before the attack, a security review report by Clarity Alliance had pointed out multiple medium to low-risk vulnerabilities in ALEX Lab, including liquidity token compliance issues and lack of minimum amount checks when removing liquidity, but these warnings seemingly were not addressed promptly.
