June 9, 2025 — Bitcoin-native decentralized finance platform Alex Protocol has confirmed it was the target of a significant security exploit, resulting in the loss of over $8.3 million in user funds. The incident took place on June 6, 2025, and involved a vulnerability in the platform's self-listing smart contract function.
According to the official postmortem published by Alex Lab, the attacker bypassed validation checks within the self-listing logic, enabling them to register fake assets and manipulate asset prices. By executing a series of malicious transactions, the attacker drained liquidity from multiple pools including STX, ALEX, sUSDT, sUSDC, xBTC, and USDA.
Blockchain analysis indicates that the attacker conducted the exploit in several batches, initially targeting liquidity pools connected to ALEX-USDA and ALEX-sUSDC. The attacker then expanded the scope to other pools, converting the stolen assets into xBTC and STX before bridging them out via various decentralized exchanges and swapping protocols.
The exploit was executed using multiple wallet addresses and routed through decentralized exchanges to obfuscate the trail. On-chain investigators have identified a total loss amounting to approximately $8,375,000, based on token prices at the time of withdrawal.
Alex Lab, the team behind the protocol, announced that compensation will be provided to affected users using the platform’s treasury reserves. The compensation will be calculated based on average on-chain asset prices recorded between 10:00 a.m. and 2:00 p.m. UTC on the day of the attack. Reimbursement will be made in USDC, and the team has committed to publishing a detailed recovery plan.
“We have paused the self-listing feature and are working closely with third-party auditors to review all smart contracts,” Alex Lab stated on social media. “Security remains our top priority.”
This incident follows a prior exploit in May 2024, where the platform lost $4.3 million due to a smart contract vulnerability involving a cross-chain bridge. That exploit was later attributed to insufficient input validation in contract logic.
FAQs
What was the cause of the Alex Protocol hack?
A validation flaw in the self-listing function allowed an attacker to list fake assets and drain liquidity pools.
How much was stolen in the attack?
Approximately $8.3 million worth of tokens, including STX, ALEX, sUSDT, sUSDC, xBTC, and USDA.
How was the exploit carried out?
The attacker bypassed validation logic, manipulated asset pricing, and used multiple wallets and DEXs to withdraw and obscure stolen funds.
Will affected users be reimbursed?
Yes. Alex Lab stated that users will be reimbursed in USDC based on the average asset prices during the exploit window.
What actions has Alex Lab taken?
They paused the self-listing feature, initiated contract audits, and pledged full transparency as part of their incident response.
