The Biggest Exploit in Alex Protocol History: A Detailed Analysis of the Incident

Description of the incident

On June 6, 2025, the decentralized finance (DeFi) platform Alex Protocol, which runs on the Stacks blockchain, suffered one of the largest attacks in the Stacks ecosystem. As a result of the exploit, the attacker managed to withdraw digital assets worth over $8.3 million . This event became a serious challenge to the entire Bitcoin DeFi infrastructure and called into question the resilience of a number of security solutions 1 2 3 .

Reason and mechanism of attack

According to Alex Protocol’s official statement, the incident was caused by a vulnerability in the token self-listing verification logic. The attacker took advantage of this vulnerability to bypass checks and drain liquidity from several asset pools. The technical details of the exploit have not yet been disclosed, but the protocol team promised to publish a detailed report after completing an internal investigation 1 2 3 .

Losses and distribution of stolen assets

The following assets were withdrawn during the attack:

• 8.4 million Stacks (STX) tokens
• 21,85 Stacks Bitcoin (sBTC)
• 149,850 USDC and USDT
• 2,8 Wrapped Bitcoin (WBTC)

The total damage is estimated at $8.3 million , making this incident the largest exploit in the history of Stacks 1 2 4 .

Team response and compensation for victims

The Alex Lab Foundation , the organization that supports Alex Protocol, quickly announced that it would fully compensate affected users using its own treasury reserves. Payments will be made in USDC tokens . The compensation amount for each user is calculated based on the average on-chain rates from 10:00 to 14:00 UTC on the day of the attack to ensure fairness in a highly volatile market 1 2 5 .

Procedure for obtaining compensation

• By June 8, affected wallets received an on-chain notification with a personalized claim form.
• Users had to fill out a form and provide an address to receive funds by June 10.
• Once applications are verified, USDC payments will be made within seven days.
• Users who have not received the form are strongly encouraged to contact the team via email to resolve the situation 1 2 5 .

Additional details of the compensation program

• STX holders will be compensated in USDC at a fixed rate of 0.68 USDC per 1 STX.
• sBTC holders will be fully refunded in aBTC.
• aBTC holders will receive 75% in aBTC and 25% in USDC (at the rate of 102,734 USDC for 1 aBTC).
• Losses in aUSD are compensated by 91% in aUSD and 9% in USDC at a parity of 5 6 .

Not the first incident: May 2024 hack

Alex Protocol has had serious security issues before. In May 2024, the platform suffered a cross-chain bridge attack that resulted in the unauthorized withdrawal of $4.3 million in assets . An investigation revealed that the attackers had gained access to internal private keys through a phishing attack, allowing them to withdraw funds from one of the liquidity vaults 7 8 .

The Alex Protocol team has claimed that North Korean cybercriminal group Lazarus is likely to be involved in the attack . The investigation identified three wallets used by the attackers and collaborated with analyst ZachXBT to track down the stolen assets. Some of the funds were frozen on centralized exchanges, but there was no guarantee of a full refund 7 8 .

The significance of the incident for the industry

The Alex Protocol exploit was a wake-up call for the entire DeFi industry, especially for projects built on the Bitcoin and Stacks blockchains. It highlighted the importance of regular audits, transparency, and rapid response from teams to incidents. At the same time, the Alex Lab Foundation’s willingness to fully compensate users was a rare example of responsible behavior in the world of decentralized finance 1 2 9 .

Summary:
The Alex Protocol incidents in June and May 2024 demonstrate the vulnerability of even large DeFi platforms and highlight the need for continuous improvement of security and transparency mechanisms in the industry.

What are the technical details behind the vulnerability that caused the Alex Protocol exploit?

Technical details of the vulnerability that caused the Alex Protocol exploit

The essence of vulnerability

The Alex Protocol exploit on June 6, 2025 was caused by a critical vulnerability in the token self-listing verification logic. The underlying issue was the lack of verification of new tokens when they were added to the protocol, allowing an attacker to bypass security mechanisms and gain access to funds in liquidity pools 1 2 3 .

How the attack was carried out

• Deployment of a malicious token:
  The attacker created a special token with a malicious implementation of the transfer function. This token was added to the protocol via a self-listing mechanism, which lacked strict verification of the token’s code and access rights 1 2 .
• Gaining enhanced privileges:
  Through the set-approved-token function, the attacker ensured that their token was granted vault-level permissions. This allowed the token to interact with the protocol’s internal contracts as a trusted asset 1 .
• Internal Call Manipulation:
  During normal swap-x-for-y operations, Alex Protocol smart contracts called the transfer function of a malicious token. Due to incorrect internal checks, the protocol incorrectly determined that the transfer was initiated by the storage contract itself, rather than an external token. This allowed an attacker to initiate a withdrawal from the pool without the appropriate permissions 1 2 .
• Blockchain limitations:
  An additional factor is the limitation of the Stacks blockchain, which did not allow for reliable detection of failed transactions. This allowed an attacker to reference erroneous transactions and bypass transaction status checks 3 .

Causes and consequences

• Insufficient checks on listing:
  The protocol did not require rigorous auditing or whitelisting of new tokens, allowing a malicious contract to be introduced.
• Permissions system bugs:
  Internal protocol functions did not distinguish the initiator of the call, resulting in privilege escalation.
• Limitations of the Stacks infrastructure:
  The current architecture did not allow for the correct handling of failed transactions, which further facilitated the attack 3 .

Why Self-Listing Logic Was Vulnerable to Attackers

The Alex Protocol exploit was the result of a combination of smart contract design flaws, insufficient token verification, and Stacks infrastructure. The case highlights the need for comprehensive audits and rigorous listing procedures for DeFi platforms 1 2 3 .

Alex Protocol’s self-listing logic was vulnerable because it lacked strict verification and validation of new tokens that could be added to the protocol without proper auditing and control.

This allowed the attacker to create and implement a malicious token with a modified transfer function, which was given enhanced access rights within the protocol via a self-listing mechanism. As a result, internal smart contracts mistakenly accepted calls from this token as legitimate, which allowed the attacker to freely withdraw liquidity from pools [according to the incident description].

The main reason for the vulnerability is insufficient verification and the lack of restrictions on adding new tokens , which violates the basic principles of security: integrity and control of access to funds. In addition, the features of the Stacks blockchain infrastructure did not allow for the correct processing of failed transactions, which further facilitated the bypass of protective mechanisms.

Thus, it was the lack of comprehensive verification and control during self-listing that made this mechanism vulnerable to exploitation by attackers, which led to a major exploit worth over $8 million.

How the aftermath of the previous May hack has affected the protocol’s security measures

The search results provided do not provide any direct information on how exactly the aftermath of the May hack has affected Alex Protocol’s security measures. However, based on known facts and standard practices in the DeFi industry, some reasonable conclusions can be drawn.

Following the May 2024 hack, in which attackers gained access to internal private keys and withdrew $4.3 million from the platform, the Alex Protocol team likely took the following steps to strengthen security:

• Increased control over private keys and infrastructure: The incident exposed a vulnerability in key management, which typically leads to revisions to storage and access procedures, implementation of multi-factor authentication and hardware security modules.
• Increased smart contract audits and reviews: After a major incident, DeFi protocols typically conduct deeper and more frequent audits to identify potential vulnerabilities, especially in critical components like the cross-chain bridge.
• Implementation of monitoring and analytics: Cooperation with blockchain analysts (e.g. ZachXBT) after the May attack indicates an increased focus on monitoring suspicious transactions and quickly responding to incidents.
• Increased transparency and communication with users: The promise to fully compensate victims and promptly communicate compensation indicates a commitment to rebuilding trust and improving community engagement.

Thus, the aftermath of the May hack likely served as a catalyst for reviewing and strengthening security measures at Alex Protocol, however, given the repeated exploit in June, it can be assumed that some systemic vulnerabilities and organizational weaknesses have not yet been fully addressed.

If more detailed reports are published from the Alex Protocol team, they will be able to provide an accurate picture of the specific security policy changes and technical improvements made since the May incident.

What steps is the Alex Protocol team taking to prevent similar attacks in the future?

The Alex Protocol team is taking several key steps to prevent similar attacks in the future:

• Publishing a detailed technical report on the reasons behind the latest attack and security measures, promoting transparency and understanding of the protocol’s vulnerabilities 1 .
• Actively collaborate with security analysts and blockchain experts to identify and fix vulnerabilities, as well as track suspicious activity and stolen assets 1 .
• Implementing stricter verification and control procedures when listing tokens to eliminate the possibility of adding malicious or incorrectly implemented tokens through the self-listing mechanism (taking into account the identified vulnerability) 1 .
• Strengthening audits of smart contracts and infrastructure , especially in critical components such as cross-chain bridges and permissions management mechanisms, to minimize the risks of replay exploits 1 .
• Develop and implement a notification and compensation system for users , which allows for prompt response to incidents and maintains community trust 1 .
• Enhanced monitoring and incident response capabilities , including the use of on-chain analytics and collaboration with security experts, to help quickly detect and block suspicious transactions 1 .

As such, the Alex Protocol team aims to strengthen the protocol’s security in a comprehensive manner, combining technical improvements, auditing, transparency, and community engagement to reduce the likelihood of similar attacks happening again.

How USDC Refunds Will Help Restore User Trust in the Platform

USDC reimbursement helps restore user confidence in Alex Protocol for several key reasons:

• USDC Stability and Transparency: USDC is one of the largest and most transparent stablecoins, fully backed by USD reserves and short-term Treasury bonds. The issuing company, Circle, regularly publishes independent audit reports, giving users confidence that each USDC token can be exchanged for a dollar at a rate of 1:1 1 2 6 .
• Regulated and Trusted Issuer: Circle has received a trust charter from US regulators, increasing the level of trust among institutional and retail investors in USDC as a payment instrument integrated into traditional financial systems 1 .
• Volatility Protection: Unlike many crypto assets, USDC is not subject to large price fluctuations, allowing affected users to retain the value of their refunded funds without the risk of loss due to market volatility 6 .
• Fast and convenient conversion: USDC is widely supported on most crypto exchanges and DeFi platforms, making it easy to access funds and use or withdraw them 6 7 .
• Positive signal for the community: The promise to pay compensation in USDC demonstrates the responsibility of the Alex Protocol team and its desire to minimize user losses, which helps build trust and reduce panic in the community.

Therefore, using USDC for compensation is not just a technical solution, but an important step that provides stability, transparency and convenience for users, helping to restore their trust in the platform after a major incident.

How USDC Refunds Will Strengthen User Confidence in Platform Stability

USDC reimbursement will strengthen user confidence in the stability of the Alex Protocol platform for the following reasons:

• USDC Price Stability: USDC is a stablecoin pegged 1:1 to the US dollar, providing a hedge against crypto market volatility and keeping the value of the funds exchanged constant for users 1 2 3 .
• Transparency and reliability of the issuer: Circle, the company that issues USDC, holds 100% of its reserves in liquid assets – cash and short-term US Treasury bonds, undergoing regular independent audits. This increases the credibility of USDC as a reliable digital asset 1 3 8 .
• Fast liquidity and wide support: USDC is supported by most crypto exchanges and DeFi platforms, allowing affected users to easily convert their refunds into other assets or withdraw to fiat 9 10 .
• Crisis Resilience: Despite past stress tests (such as the 2023 Silicon Valley Bank crisis), Circle has responded quickly and maintained USDC’s peg to the dollar, proving the stability and reliability of the stablecoin 2 4 .
• Positive signal for the community: Paying compensation in USDC demonstrates the responsibility and willingness of the Alex Protocol team to minimize user losses, which helps restore trust and reduce panic 5 .

Thus, USDC reimbursement provides users with confidence in the safety of their funds, reduces the risks associated with market volatility, and maintains the stability of the platform, which is an important factor in restoring and strengthening trust in Alex Protocol.

1. https://vc.ru/crypto/1077473-usd-coin-usdc-chto-eto-obzor-konkurenta-tether
2. https://yellow.com/ru/research/usdt-usdc-%D0%B8-%D0%B7%D0%B0-%D0%B8%D1%85-%D0%BF%D1%80%D0%B5%D0%B4%D0%B5%D0%BB%D0%B0%D0%BC%D0%B8-%D0%BF%D1%80%D0%B8%D0%BD%D1%8F%D1%82%D0%B8%D0%B5-%D0%B8-%D1%80%D0%B5%D0%B3%D1%83%D0%BB%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-%D1%81%D1%82%D0%B0%D0%B1%D0%B8%D0%BB%D1%8C%D0%BD%D1%8B%D1%85-%D0%BC%D0%BE%D0%BD%D0%B5%D1%82-%D0%BF%D0%BE-%D0%B2%D1%81%D0%B5%D0%BC%D1%83-%D0%BC%D0%B8%D1%80%D1%83-%D0%B2-2025-%D0%B3%D0%BE%D0%B4%D1%83
3. https://sergeytereshkin.ru/blog/prognoz-kursa-usd-coin-usdc-na-may-2025-goda
4. https://quote-spy.online/analytics/articles/crypto/vosstanovlenie_usdc_uroki_dlya_steyblkoinov_na_fone_finansovoy_nestabilnosti_6138.html
5. https://www.mexc.com/ru-RU/learn/article/building-a-security-fortress-how-mexc-achieves-full-coverage-protection-from-risk-prevention-to-trading-safeguards/1
6. https://yellow.com/ru/news/circle-%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%D0%B0%D0%B5%D1%82-%D0%BF%D1%80%D0%BE%D1%82%D0%BE%D0%BA%D0%BE%D0%BB-%D0%B2%D0%BE%D0%B7%D0%B2%D1%80%D0%B0%D1%82%D0%B0-%D0%BD%D0%B0-%D0%BE%D1%81%D0%BD%D0%BE%D0%B2%D0%B5-%D1%81%D0%BC%D0%B0%D1%80%D1%82-%D0%BA%D0%BE%D0%BD%D1%82%D1%80%D0%B0%D0%BA%D1%82%D0%BE%D0%B2-%D0%B4%D0%BB%D1%8F-%D1%81%D1%82%D0%B0%D0%B1%D0%B8%D0%BB%D1%8C%D0%BD%D0%BE%D0%B9-%D0%BC%D0%BE%D0%BD%D0%B5%D1%82%D1%8B-usdc
7. https://quote-spy.online/analytics/articles/crypto/usdc_vosstanavlivaet_paritet_posle_obvala_uroki_i_riski_4619.html
8. https://www.bitget.com/ru/news/detail/12560604575480
9. https://learn.bybit.com/ru/altcoins/a-beginners-guide-what-is-usd-coin-and-how-does-it-work
10. https://adpass.ru/chto-takoe-stejblkoin/

1. https://www.moneytimes.ru/news/trust-charter-approval/71977/
2. https://sergeytereshkin.ru/blog/prognoz-kursa-usd-coin-usdc-na-may-2025-goda
3. https://quote-spy.online/analytics/articles/crypto/vosstanovlenie_usdc_uroki_dlya_steyblkoinov_na_fone_finansovoy_nestabilnosti_6138.html
4. https://www.binance.com/ru/square/post/297749
5. https://cryptomus.com/ru/blog/sui-price-stuck-under-4-as-223m-cetus-hack-sparks-market-concerns-news
6. https://blog.mexc.com/ru/what-is-usdc/
7. https://vc.ru/id4843980/2016941-kak-perevesti-usdc-v-rossii
8. https://www.kraken.com/ru/wallet/usdc
9. https://www.binance.com/ru/square/post/25307367790705
10. https://ru.tradingview.com/news/forklog:6b29987c067b8:0/

1. https://finway.com.ua/ru/defi-platforma-alex-protocol-poteryala/
2. https://www.securitylab.ru/analytics/545702.php
3. https://www.privacyaffairs.com/ru/ddos-attacks-deep-dive/
4. https://www.securitylab.ru/analytics/551949.php
5. https://ru.wikipedia.org/wiki/Tor
6. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%92%D1%80%D0%B5%D0%B4%D0%BE%D0%BD%D0%BE%D1%81%D0%BD%D0%B0%D1%8F_%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0_(%D0%B7%D0%BB%D0%BE%D0%B2%D1%80%D0%B5%D0%B4)
7. http://www.cryptopro.ru/sites/default/files/docs/csp40/UserGuide40R4.pdf
8. https://nevacert.ru/files/med_reestr_v2/22243_instruction.pdf
9. https://naukaip.ru/wp-content/uploads/2025/05/MOH-228-2.pdf
10. https://www.protokols.ru/WP/wp-content/uploads/2006/01/rfc4271.pdf

1. https://ptsecurity.com/ru-ru/research/analytics/ogo-kakaya-ib/
2. https://www.sut.ru/new_site/images/blocks/1736767023.pdf
3. http://council.gov.ru/activity/meetings/156555/transcript/
4. https://www.adm-gapkinskoe.ru/images/news/2024/12_December/01/eko_vestnik.pdf
5. https://spec-nwb.rgup.ru/rimg/Nauka/Seminar%20and%20conf/09.02.2024/Zashchita%20Prav_i_Zakonnyh_Interesov_Poterpevshego_v_Ugolovnom_Sudoproizvodstve.pdf
6. https://n-novgorod.fas.gov.ru/news/17361
7. https://www.murmanarchiv.ru/exhibitions-events/34?layout=blog&start=125
8. https://vgatu.ru/wp-content/uploads/docs/nauka/sborniki-trudov/2024/sovremennye_problemy_prirodopolzovaniya__ohotovedeniya_2023.pdf
9. https://t.me/s/imotvet?before=16859
10. https://www.gubkin.ru/departaments/scientific_activity/sno/meropriatia/Oilgas/Tom2.pdf

1. https://pt-corp.storage.yandexcloud.net/upload/corporate/ru-ru/analytics/positive-research-2023-rus.pdf
2. https://samag.ru/archive/article/258
3. https://kfilial.mggeu.ru/wp-content/uploads/2021/02/Partyka-T.L.-Popov-I.I.-Informatsionnaya-bezopasnost.pdf
4. https://studfile.net/preview/11490530/page:4/
5. https://library.kuzstu.ru/dl.php?n=237352.pdf&type=nstu%3Acommon
6. https://ftp.zhirov.kz/books/IT/%D0%98%D0%98/%D0%9D%D0%B0%D0%B4%D0%B5%D0%B6%D0%BD%D0%BE%D1%81%D1%82%D1%8C%20%D0%BD%D0%B5%D0%B9%D1%80%D0%BE%D0%BD%D0%BD%D1%8B%D1%85%20%D1%81%D0%B5%D1%82%D0%B5%D0%B9%20-%20%D1%83%D0%BA%D1%80%D0%B5%D0%BF%D0%BB%D1%8F%D0%B5%D0%BC%20%D1%83%D1%81%D1%82%D0%BE%D0%B9%D1%87%D0%B8%D0%B2%D0%BE%D1%81%D1%82%D1%8C%20%D0%98%D0%98%20%D0%BA%20%D0%BE%D0%B1%D0%BC%D0%B0%D0%BD%D1%83%20(%D0%9A%D1%8D%D1%82%D0%B8%20%D0%A3%D0%BE%D1%80%D1%80).pdf
7. https://www.vstu.ru/upload/iblock/262/26201d1018787804cf3aead939c47bb2.pdf
8. https://kr-labs.com.ua/books/Kali_Linux_ot_razrabotchikov.pdf
9. http://www.cbr.ru/Collection/Collection/File/49041/ar_2023.pdf
10. http://www.spiiras.nw.ru/dissovet/wp-content/uploads/2017/05/disertbirichevskij.pdf

1. https://www.guardrail.ai/blog/alex-protocol-hack-june-2025
2. https://www.halborn.com/blog/post/explained-the-alex-protocol-hack-june-2025
3. https://www.theblock.co/post/357368/stacks-based-alex-lab-to-reimburse-users-after-8-3-million-exploit-as-token-drops-45
4. https://coinsbench.com/early-findings-how-a-verification-bug-led-to-the-8m-alex-protocol-exploit-4378f4c1ac52
5. https://cointelegraph.com/news/bitcoin-defi-platform-alex-protocol-loses-8-3m-to-exploit
6. https://cryptorank.io/news/feed/aba67-alex-protocol-loses-8-3m-in-major-exploit-vows
7. https://cryptorank.io/ru/news/feed/aba67-alex-protocol-loses-8-3m-in-major-exploit-vows
8. https://www.bitcoinsensus.com/news/alex-protocol-8-37m-exploit/
9. https://coinstats.app/news/9058d7df71cff403d196112b125ac8b601280aacde93ba40a1cf578d543f1d54_Alex-Protocol-Loses-83M-in-Major-Exploit-Vows-Full-Reimbursement/
10. https://blog.immunebytes.com/2025/06/11/security-time-machine-may-june-2025-blockchain-hacks-report/
11. https://negg.blog/en/alex-protocol-loses-83-million-in-defi-bitcoin-exploit-on-stacks/
12. https://www.binance.com/en/square/post/06-07-2025-alex-protocol-faces-significant-loss-due-to-security-flaw-25277754272705
13. https://www.panewslab.com/en/articles/0dqi2dpd5gp0
14. https://en.coinotag.com/alex-protocol-faces-possible-8-37m-loss-in-hack-exploiting-security-flaw-on-stacks/
15. https://bingx.com/ru-ru/news/27706/
16. https://blockchair.com/news/alex-protocol-attack-hacker-distributes-stolen-stx-via-9700-transactions—d5e6942448
17. https://www.onesafe.io/blog/alex-protocol-exploit-lessons-in-defi-security
18. https://unchainedcrypto.com/alex-lab-to-reimburse-users-after-8-3m-exploit/
19. https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-june-2025
20. https://x.com/ALEXLabBTC/status/1932997079237857729

1. https://cointelegraph.com/news/bitcoin-defi-platform-alex-protocol-loses-8-3m-to-exploit
2. https://cryptorank.io/ru/news/feed/aba67-alex-protocol-loses-8-3m-in-major-exploit-vows
3. https://negg.blog/en/alex-protocol-loses-83-million-in-defi-bitcoin-exploit-on-stacks/
4. https://forklog.com/news/alex-lab-vozmestit-ubytki-posle-vzloma-na-8-3-mln
5. https://www.xt.com/ur/blog/post/alex-protocol-launches-treasury-grant-to-reimburse-over-8-million-in-losses
6. https://www.bitget.com/news/detail/12560604803415
7. https://invezz.com/news/2024/06/25/defi-protocol-alex-labs-suspects-lazarus-groups-involvement-in-4m-hack/
8. https://cryptorank.io/news/feed/01efd-defi-protocol-alex-lab-4-million-hack-linked-to-lazarus-group
9. https://www.bitget.com/news/detail/12560604801384
10. https://bingx.com/ru-ru/news/27706/
11. https://www.guardrail.ai/blog/alex-protocol-hack-june-2025
12. https://www.binance.com/en/square/post/25296829820865
13. https://www.binance.com/en/square/post/25299737587314
14. https://www.vibraniumaudits.com/post/alex-protocol-hit-by-major-exploit-8-3-million-in-assets-stolen
15. https://www.binance.com/en/square/post/25322676499001
16. https://coinfomania.com/alex-labs-confirms-major-security-breach-suspends-platform-operations-and-launches-full-investigation-into-multi-asset-hack/
17. https://www.bitget.com/news/detail/12560604804348
18. https://www.tradingview.com/news/cointelegraph:7454908fb094b:0-bitcoin-defi-platform-alex-protocol-loses-8-3m-to-exploit/
19. https://coinstats.app/news/04c8a307ef54a8329d00c77ba4563937e63f56e6c55eef54d7237c8271648bb2_ALEX-Labs-Confirms-Major-Security-Breach,-Suspends-Platform-Operations,-and-Launches-Full-Investigation-Into-Multi-Asset-Hack/
20. https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-june-2025