Back to all stories
Blogs
Incident Analysis
Alex Bridge Incident Anlaysis
5/16/2024
Alex Bridge Incident Anlaysis

Introduction

On 14th May, CertiK’s internal alerting system detected a suspicious transfer of $4.3 million worth of assets to a wallet on the Binance Smart Chain, with an additional 13.7 million STX worth $2 million that was transferred to a malicious address. The incident was due to a private key compromise of the project’s deployer which has been confirmed by the project since the attack. The funds that were affected on BSC were front run by a wallet who has begun negotiations to return the assets to the project. At the time of writing, the funds affected total $6.3 million.

Event Summary

CertiK detected the externally owned address (EOA) 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E receiving $4.3 million worth of assets from contract 0xb3955302E58FFFdf2da247E999Cd9755f652b13b. Conducting a search for this contract, we can see that it is listed as an Endpoint contract.

Alex1

However, it appears that this transaction was a white hat rescue due to the proceeding on chain messaging from the deployer and 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E which we will explore later. The transfer of funds followed a number of upgrades to the contract by the deployer of the Alex Endpoint indicating that this exploit was due to a private key compromise. In total, EOA 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E received $4.3 million worth of assets in the following transaction:

Alex2

The attack also affected funds on Stack BTC, a layer 2 operating on Bitcoin, for approximately $2 million. We can see the deployer of the Alex-Vault initiating a transaction to transfer a vast amount of STX tokens to a malicious address.

Alex3

The STX was then distributed to a variety of malicious wallets with some being deposited into centralized exchanges.

The Failed Attack

Part of this attack can be categorized as a complete failure, particularly on BSC and Ethereum network which involves EOA 0x3e8C9490687dFC26c5621dd63CE9C3d415b405ed. Based on the on chain activity of this wallet, it is clear that they attempted to steal the $4.3 million within the BSC Endpoint, and the approximate $5 million in the Ethereum Endpoint.

The attacker was initially funded through ChangeNOW on Ethereum and bridged a portion of the funds to the Binance Smart Chain. Following this, the deployer wallet of the Alex BSC Endpoint initiated an upgrade of proxy 0xb3955302E58FFFdf2da247E999Cd9755f652b13b to a new implementation.

Alex4

The compromised deployer wallet then initiated two further upgrades on the same proxy. Following that the original attacker attempted to call withdraw to drain the BSC Endpoint, however each case failed. Lining up the transactions from the original attacker and the compromised deployer, we can see the attempts that were made. Following the final two upgrades, the attacker’s withdraw transactions failed.

Alex5

The white hat detected the first two attempts, and by the third attempt at 16:44:03, EOA 0x27055aE433E9DCb30f6EbCC1A374Cf5CC03C484E paid a 1.5 BNB transaction fee to ensure their transaction was ordered in front of the original attacker.

Alex6

This indicates that the attacker was unprepared and didn’t include access controls in their malicious implementation, meaning anyone could withdraw the funds held in the Endpoint. The attacker also attempted to withdraw funds from the Ethereum Endpoint, however the team had managed to change ownership of the targeted contract and the funds were unaffected.

It is likely that EOA 0x3e8C9490687dFC26c5621dd63CE9C3d415b405ed and SP2AS4QCQ81PJQ5HE3TJ6AJ554QX2YK14MFHT2VRS are controlled by the same threat actor, with the attack failing on the EVM chains.

Private Key Compromises

The is perhaps the first incident we have seen, certainly for a long time, where there has been an on chain rescue following a private key compromise. This is mainly due to the attackers ill preparedness. Nevertheless, private key compromises continue to demonstrate that they result in outsized losses compared to other attack vectors. In 2024, we have already seen 38 incidents, a 153.3% increase from the same period in 2023. It’s highly likely that private key compromises will continue to contribute to the vast amounts of losses throughout the rest of the year.

Conclusion

The incident affecting Alex is perhaps the first incident we have seen where there was a successful on chain rescue of funds following a private key compromise. This is almost certainly solely down to the attackers error by not controlling access to their malicious implementation. Based on the information provided by the Alex team, the attacker was able to compromise the deployer wallets through a phishing attack. This incident serves as another reminder of how centralization risks can lead to major losses when private keys are compromised. A CertiK audit outlines all of the centralization risks within scope and offers recommendations to fix.