Alex Protocol Hack

On June 6, 2025, Alex Protocol, a leading Bitcoin DeFi platform on Stacks offering DEX, yield farming, and lending, lost $8.3M—the largest hack in Stacks history—when an attacker exploited flawed self-listing verification logic tied to Stacks’ inability to reliably detect failed transactions. The breach began with deploying a malicious token (ssl-labubu-672d3) embedding a backdoor transfer function, followed by creating a Labubu/STX liquidity pool and invoking set-approved-token to grant vault permissions. During routine swap-x-for-y operations, the protocol triggered the malicious function; weak internal checks misidentified the vault as the caller via as-contract, bypassing access controls and enabling drainage of 8.4M STX (~$5.69M), 21.85 sBTC, 149,850 USDC, unspecified USDT, and 2.8 WBTC from multiple pools, plus aBTC and ALEX tokens pushing totals to ~$16.18M. Alex Lab Foundation swiftly pledged full USDC reimbursements from treasury reserves at average 10:00-14:00 UTC rates, notifying affected wallets on-chain by June 8 with claims due June 10 and payouts within 7 days; they suspended self-listing pending fixes. This follows a May 2024 $4.3M bridge hack (Lazarus-suspected, with partial CEX recoveries ongoing via ZachXBT). ALEX token plunged 45%, sBTC/aBTC depegged briefly, prompting ecosystem pauses (e.g., Pontis bridge, Bitflow routes). A post-mortem is forthcoming, but the incident—amid 2025’s $1.77B Q1 losses—exposes Bitcoin L2 risks, urging robust failed-tx detection, granular permission audits, invariant testing for wrappers, and multi-sig vaults over single-key reliance to fortify emerging BTC DeFi.