Skip to main content
Security

ALEX Protocol Suffers Access Control Exploit, $16.18 Million Lost

A critical access control flaw allowed a malicious token to drain ALEX Protocol vaults, highlighting systemic risks in contract permissioning.
September 19, 20252 min

A large, metallic and white cylindrical mechanism with intricate modular detailing extends diagonally from the upper left, emitting a cloud of white, particulate matter from its end. The background consists of blurred, dark blue and grey geometric structures, suggesting a complex, high-tech environment
The image displays a textured white sphere positioned on a metallic curved track, with a flowing blue and white textured surface behind it. A hollow, textured blue cylinder and thin metallic wires are also visible, set against a dark grey background

Briefing

The ALEX Protocol, a Bitcoin-based DeFi platform, experienced a significant security incident on June 6, 2025, resulting in losses estimated at up to $16.18 million. The core vulnerability stemmed from failed access controls within its vault system, which an attacker exploited by deploying a malicious token. This allowed the perpetrator to bypass critical security checks and drain multiple liquidity pools.

A sleek, silver-framed device features a large, faceted blue crystal on one side and an exposed mechanical watch movement on the other, resting on a light grey surface. The crystal sits above a stack of coins, while the watch mechanism is integrated into a dark, recessed panel

Context

Prior to this incident, the DeFi landscape on nascent layers like Stacks faced inherent risks associated with complex smart contract interactions and the integration of novel bridging mechanisms. The ALEX Protocol itself had previously suffered a $4.3 million exploit in May 2024, attributed to insufficient input validation, underscoring a recurring pattern of vulnerabilities in its contract logic and security posture.

A translucent, frosted rectangular device with rounded corners is depicted, featuring a central circular lens and two grey control buttons on its right side. Inside the device, a vibrant blue, textured, organic-like structure is visible through the clear lens, resting on a dark blue base

Analysis

The attack technically leveraged a flaw in access controls, not solely a transaction failure handling as initially reported. An attacker created a fake token containing a malicious transfer function. By subsequently calling set-approved-token, the ALEX Lab protocol inadvertently granted vault-level permissions to this malicious contract. The exploit then utilized the as-contract function call, which deceptively made it appear as though the vault itself was initiating the transfer, thereby bypassing established access control mechanisms and enabling the draining of funds.

The image displays three abstract, smoothly contoured shapes intertwined against a soft gradient background. A vibrant, opaque dark blue form, a frosted translucent light blue shape, and a glossy white element are interconnected, suggesting a fluid, sculptural arrangement

Parameters

  • Protocol Targeted ∞ ALEX Protocol (Alex Lab)
  • Attack Vector ∞ Failed Access Controls / Malicious Token Deployment
  • Financial Impact ∞ Up to $16.18 Million
  • Blockchain Affected ∞ Stacks
  • Date of Incident ∞ June 6, 2025
  • Vulnerable Component ∞ Vault System / Smart Contract Logic

The image displays a partially opened spherical object, revealing an inner core and surrounding elements. Its outer shell is white and segmented, fractured to expose a vibrant blue granular substance mixed with clear, cubic crystals

Outlook

Immediate mitigation requires a comprehensive audit of all protocol contracts, particularly focusing on access control mechanisms and token interaction logic. This incident underscores the critical need for rigorous security audits encompassing all code, not just new features, to prevent similar “as-contract” impersonation vulnerabilities. Other DeFi protocols, especially those on emerging layers or utilizing complex permissioning, must re-evaluate their security posture to prevent contagion risk from similar access control bypasses.

A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow

Verdict

The ALEX Protocol exploit is a stark reminder that even with prior incidents, fundamental access control vulnerabilities can persist, necessitating continuous, holistic security reviews to safeguard digital assets.

Signal Acquired from ∞ halborn.com

Glossary

failed access controls

A critical vulnerability in the ALEX Protocol's vault system, stemming from failed access controls, allowed an attacker to bypass security mechanisms and drain significant funds.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

access control mechanisms

Walrus's Seal introduces robust decentralized access control, addressing critical Web3 privacy gaps and enabling granular data monetization.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

access controls

A critical vulnerability in the ALEX Protocol's vault system, stemming from failed access controls, allowed an attacker to bypass security mechanisms and drain significant funds.

16.18 million

An exploited third-party API allowed attackers to manipulate staking requests, resulting in a significant capital drain from the SOL Earn program.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

control mechanisms

Walrus's Seal introduces robust decentralized access control, addressing critical Web3 privacy gaps and enabling granular data monetization.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

Tags:

Tags: