ALEX protocol $8.37M exploit – the project reveals details of the attack, temporarily suspends self-listing, and guarantees full compensation of losses in USDC.
Detailed Breakdown of ALEX Protocol Losses
The incident was recorded on 6 June, and the project reported it immediately. Despite the rapid detection, the losses still amounted to $8.37M:
At the same time, ALEX Lab Foundation promptly reassured users, stating that it would cover 100% of the losses at the average on-chain rate between 10:00 UTC and 14:00 UTC on 6 June 2025.
In fact, this is a good move, because it was precisely the immediate detection and transparent investigation in the Bybit case that enabled it to restore its balance and even liquidity at record speed. However, whereas in the Bybit incident, the platform itself remained secure and the breach occurred at a third-party service, ALEX Protocol is not in as favorable a position.
More specifically, the technical details currently disclosed by ALEX Lab Foundation indicate that the attacker exploited a flaw in the verification logic of the self-listing function. By referencing a failed transaction, the check was bypassed, and the malicious token gained access to the liquidity pools, while the root cause is linked to a current limitation of Stacks – the inability to detect failed transactions reliably.
After the incident the developers promptly patched the vulnerability, suspended self-listing for a comprehensive security review, and continued to collaborate with partners to trace the assets and refine the loss assessment. A full post-mortem will be published after the investigation is completed.
Conclusion
Another unpleasant security incident in DeFi. In fact, it is rather predictable, because enormous volumes of liquidity flow every day, automatically making the attackers’ time and effort worthwhile.
This once again highlights that security in DeFi requires huge attention and the highest priority, which is essential for the reliable reputation of the entire industry.
