Based on Stacks blockchain, ALEX DeFi protocol hacked due to logic flaw, nearly $8.4 million lost
The decentralized finance protocol ALEX, based on the Stacks blockchain, was hacked on the 6th, resulting in approximately $8.37 million being stolen due to a self-listing logic flaw. ALEX Lab Foundation quickly responded, promising full compensation.
Hacker steals nearly $8.4 million
The attacker exploited a logic flaw in the self-listing mechanism of the ALEX protocol, extracting a large amount of funds from multiple asset pools. The specific losses include 8.4 million STX (approximately $5.69 million), 21.85 sBTC (approximately $2.24 million), 149,850 USDC/USDT (approximately $14.98 thousand), and 2.80 WBTC/BTC (approximately $28.74 thousand). The ALEX platform has immediately suspended all services upon discovering the attack to control the damage and initiate an investigation.
ALEX Foundation promises full compensation and announces plan
The ALEX Lab Foundation announced a compensation plan on June 7th, promising to compensate users for their losses in USDC.
The compensation amount will be calculated based on the average on-chain exchange rate between 18:00 and 22:00 on June 6, 2025.
The Foundation stated that all affected wallet addresses will receive notifications and claim forms by 7:59 (UTC) on June 9, 2025, and users must submit them by 7:59 (UTC) on June 11, 2025. USDC will be sent within 7 working days after confirmation.
Security expert analysis
Yu Xian, founder of SlowMist Technology, analyzed that the core of the vulnerability lies in the protocol not verifying failed transactions. He stated:
“This attack cleverly exploited the logic flaw in the self-listing mechanism, allowing the attacker to bypass the normal verification process and directly transfer funds from the liquidity pool. These types of logic flaws are more difficult to be detected through regular audits than simple programming errors.”
Yu Xian also mentioned that ALEX protocol suffered losses in the million-dollar range last year due to private key leaks. It is worth noting that three weeks before the attack, a security audit report from Clarity Alliance pointed out multiple low to medium-risk vulnerabilities in ALEX Lab, such as compliance with liquidity token removal and lack of minimum amount checks when removing liquidity, but these warnings seemed to have not been addressed in a timely manner.
