- Blockbasis
- Posts
- AlexLab: Unraveling the $4.3 Million Private Key Breach
AlexLab: Unraveling the $4.3 Million Private Key Breach
Investigating the $4.3 Million Private Key Breach, Recovery Efforts, and Lessons Learned in Private Key Storage
Blockbasis
May 21, 2024
TL;DR
Investigating the $4.3 million breach at ALEXLAB, where compromised private keys led to a significant loss. Recovery efforts underway, with partial assets retrieved and funds frozen. Proposed solutions include treasury grants and token re-issuance. Delayed disclosure raises concerns. Lessons highlight the importance of robust security measures, especially around storing private keys
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
In a recent incident, another private key fell victim to compromise, impacting the operations of AlexLab, a self-proclaimed financial layer on the Bitcoin network. The breach, resulting from a compromised private key, triggered a $4.3 million exploit on AlexLab’s XLink bridge within the BNB network.
Alerted by Certik on May 14th, suspicions arose regarding a transaction affecting AlexLab, with initial indicators hinting at a private key breach.
#CertiKInsight 🚨
We have seen a suspicious transaction affecting @ALEXLabBTC
Initial evidence points to a possible private key compromise.
Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.
In total ~$4.3m worth of assets have… x.com/i/web/status/1…
— CertiK Alert (@CertiKAlert)
5:24 PM • May 14, 2024
However, it wasn't until the following day that AlexLab officially acknowledged the exploit. They disclosed that the misappropriated Alex Assets had been transferred by the exploiter to major exchanges, where the assets were promptly frozen.
In response to the breach, AlexLab initiated a bounty equivalent to 10% of the stolen funds, setting a deadline of May 18th at 0800 UTC for submissions.
The delay in making an official announcement raises questions about the timing of their response to the exploit.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The AlexLab team recently became aware of the significant exploit, stemming from compromised private keys acquired through a phishing attack. In their official security update, they underscored the targeted nature of the attack, where the exploiter assumed control as the administrator of a vault linked to the ALEX liquidity pool.
With control over the vault keys, the attacker executed substantial transactions, siphoning off approximately 13.7 million STX from the compromised reserves. Around 3 million of the pilfered STX were hastily funneled to various centralized exchanges, signaling a clear attempt to cash out.
Responding swiftly, the Alex team successfully recovered several assets, including aBTC, sUSDT, xBTC, xUSD, ALEX, and atALEX, from the compromised vault. However, a significant portion of the stolen STX evaded interception by exchanges before they could freeze the assets.
Further analysis conducted by ImmuneBytes revealed that the Deployer address orchestrated four malicious upgrades to the proxy contract associated with AlexLabs. These upgrades resulted in the alteration of the endpoint contract address for the bridge to unverified bytecode, exacerbating the security breach.
Attacker address: 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E
Within an hour after the upgrade, the following withdrawals were made under these attack transactions.
Attack Transaction
1: 0x94746d33792aeb27d2066b6d8f3c8a8c7410fe15c9500059f35e0b21c9bfb416
Attack Transaction
2: 0x47e123af93add709bc2516f6a5db057dfbb1d66a75b693cd7980cd3eb28c7357
A total of $4.3 million worth of digital assets were transferred to the following addresses.
Stolen Funds sent to Address
1: 0xA747aF2a527E72cE303353b458a1c51eBCd53188
Stolen Funds sent to Address
2: 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E
A sum of $4.3 million in digital assets found its way into two distinct addresses:
Address 1: 0xA747aF2a527E72cE303353b458a1c51eBCd53188
Address 2: 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E
Efforts to recover a portion of the pilfered funds are underway, with one centralized exchange (CEX) identified as holding some of the assets in question. AlexLab is actively engaging with various other CEXs in a bid to retrieve additional funds. They have initiated discussions and shared forensic data with these platforms.
Recognizing the uncertainty surrounding the complete recovery of the stolen assets, AlexLab is considering leveraging reserves held by the AlexLab Foundation to establish a treasury grant program. This initiative aims to provide support to the community adversely affected by the attack.
In parallel, there's a proposal brewing within the AlexLab community suggesting the burning of unrecovered STX tokens held by the exploiter, followed by the issuance of fresh tokens to affected users. This strategy represents a last-ditch effort to mitigate the impact of the breach.
AlexLab is actively collaborating with relevant stakeholders on a comprehensive post-mortem report, which will be made available shortly.
We are currently working with all relevant parties on a detailed post-mortem report, which we will share with you very soon.
— ᛤ ALEX 🟧 THE Finance Layer on Bitcoin ᛤᛤᛤ (@ALEXLabBTC)
7:19 PM • May 15, 2024
Further investigations by ImmuneBytes and Chain Aegis have linked the attacker involved in this exploit to a previous attack on Mars Defi 412, involving a $100k price manipulation incident on April 16th.
Although AlexLab's Security Audit page underscores meticulous auditing and bug bounty programs, the breach underscores the vulnerability posed by compromised private keys. The critical question that looms large:
How did the attacker manage to acquire these coveted vault keys through phishing or other means?
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
The AlexLab team is facing a daunting task in unraveling the intricacies of the $4.3 million private key debacle. Despite efforts to recover assets and freeze funds, a substantial amount remains ensnared in the exploiter's clandestine wallets. Their proposed remedies, including treasury grants and token reissuance, signal a commitment to rectifying the impact on affected users.
However, these measures cannot fully erase the repercussions of lax operational security practices that facilitated the breach. The delayed disclosure of the exploit raises concerns, prompting scrutiny into the circumstances surrounding the incident. As investigators delve into potential phishing tactics or internal vulnerabilities, this episode emerges as a cautionary tale highlighting the dangers of mishandling private keys.
In the relentless landscape of the crypto realm, where one misstep can lead to devastating consequences, AlexLab's proactive approach must extend beyond audits and bug bounties. Implementing robust key management practices, such as multi-signature authentication, is imperative to fortify their defense against opportunistic attackers. Failure to do so risks exposing their purported "finance layer" to further exploitation by cunning adversaries, potentially with repeat offenses and varied attack vectors.
As the perpetual game of crypto cat-and-mouse persists, the question remains: Who will be the next target in this ongoing saga of security vulnerabilities and strategic maneuvering?