ALEX LAB

DESCRIPTION OF EVENTS

The ALEX Lab Foundation is a non-profit organization committed to supporting the growth and governance of the ALEX decentralized finance (DeFi) protocol on the Bitcoin blockchain. Focused on advancing the future of Bitcoin-based DeFi, the foundation provides a suite of financial tools and services designed to bring decentralized trading, liquidity provision, staking, and token launches to users worldwide. With over $107 million in total value locked and more than $2.7 billion in transaction volume, ALEX demonstrates strong traction and an active user base exceeding 71,000 wallets.

The ALEX DeFi ecosystem offers a wide array of decentralized services. These include automated market maker (AMM) trading, staking options like farming and liquid staking, and cross-chain functionality through bridging. Additionally, ALEX features an order book secured by Bitcoin and a multichain launchpad for issuing and listing tokens across various blockchains. Users can stake assets for up to 9% APR while participating in campaigns and liquidity pools that generate consistent returns.

Backed by leading investors such as The Spartan Group, DWF Labs, and Trust Machines, ALEX Lab has gained significant recognition across media platforms like Bloomberg, CoinDesk, and Bitcoin Magazine. As a pivotal player in the emerging Bitcoin DeFi space, ALEX continues to build tools that empower users and developers alike to fully leverage decentralized finance on the world’s most secure blockchain.

Alex Lab has unfortunately suffered a private key breach in the past, and many of the services offered are inherently risky due to their reliance on new technologies.

Despite recent audits by two professional security firms—Clarity Alliance and CoinFabrik—just weeks before the attack. Both firms completed their reviews by mid-May 2025, assessing the protocol’s AMM contracts, liquidity mechanics, and core functions. They flagged various issues, including calculation errors and math inconsistencies, but neither identified a core design flaw in the vault’s permission logic, which either fell completely outside the scope of the audits or was added after their completion.

The attacker didn’t exploit a blockchain bug—they exploited ALEX’s reliance on automated token whitelisting and improperly scoped smart contract permissions. While Alex Lab framed the issue around broader infrastructure limitations, the real vulnerability was a misconfiguration of trust and control within their own protocol.

The recent exploit on ALEX Protocol was far more sophisticated—and damaging—than initially disclosed, with the real technical root stemming from weaknesses in ALEX’s own vault and permission systems, rather than a blockchain-level issue. While Alex Lab publicly attributed the exploit to an "on-chain limitation" of the Stacks blockchain—specifically, the inability to reliably detect failed transactions—the actual exploit took advantage of ALEX’s own smart contract architecture and token approval logic.

The attacker deployed a malicious token named ssl-labubu-672d3 with a custom, deceptive transfer function. By creating a legitimate-looking Labubu/STX liquidity pool, they were able to trigger ALEX's set-approved-token logic, which automatically granted permissions to the vault. The exploit escalated further when the attacker enabled farming by modifying the set-enable-farming flag—another function that should have been tightly controlled. This sequence gave the fake token the ability to interface with ALEX’s vault systems as if it were a trusted asset.

The actual drain occurred during a swap-x-for-y transaction. Due to how ALEX’s contracts used as-contract to call the token’s transfer function, the vault was misrepresented as the transaction origin. This allowed the malicious token’s code to execute transfers as if it were the vault itself, giving the attacker unrestricted access to withdraw assets. In a single transaction, the attacker emptied the vault—making off with over $16.18 million in STX, aBTC, sBTC, ALEX tokens, and sUSDT. Security researcher Nolan from Exvul later confirmed that this was not a failure of the Stacks blockchain, but a direct result of flawed permission logic and insufficient safeguards in ALEX’s vault design.

The total affected asserts were reported by Alex Lab: • 8,403,867.57 STX • 21.85 sBTC • 149,850.00 aUSD • 2.80 aBTC

STX: 8,403,867.57 STX → $ 5,691,255.93 sBTC: 21.85 sBTC → $ 2,244,751.87 USDC/USDT: 149,850 USDC/USDT → $ 149,850.00 WBTC/BTC: 2.80 WBTC → $ 287,369.33 Total USD Value Lost: $ 8,373,227.13

Reubs BTC was one of the first to note and publicly report the hack on Twitter/X. The user Crusader tallied up the total losses.

A post shortly thereafter by Alex Lab acknowledged the malicious activity. Alex Lab claimed their team was immediately taking action to contain the threat and prevent further damage. The team was described as working continuously and having temporarily suspended all platform operations to protect users. They reported actively collaborating with centralized exchanges to trace and potentially recover the stolen funds. ALEX Lab noted they were committed to transparency and planned to release a full post-mortem once investigations are complete.

Alex Lab has promised to reimburse all affected users through a new grant program. ALEX Lab launched a comprehensive Treasury Grant Program to fully reimburse affected users, committing to cover 100% of losses in USDC. They also paused the self-listing function and began a thorough security review while collaborating with security partners to trace the attacker and assess the full scope of the damage. Despite the setback, ALEX Lab emphasized transparency and user support, issuing detailed updates and expanding claim deadlines to ensure all victims could recover their funds.

Alex Lab has offered affected users a recovery under the following terms:

STX Holdings • 100% coverage in USDC • Exchange rate: 0.68 USDC per STX sBTC Holdings • 100% coverage in aBTC • Exchange rate: 1 aBTC per sBTC aBTC Holdings • 75% returned as aBTC (original token) • 25% converted to USDC at 102,734 USDC per aBTC aUSD Holdings • 91% returned as aUSD (original token) • 9% converted to USDC at 1.00 USDC per aUSD

This recovery is available to all non-US citizens, non-sanctioned individuals, subject to complex legal terms.

The ALEX Protocol exploit continues to ripple through the DeFi community and the broader Bitcoin ecosystem. Trust in the protocol has been shaken, leading to increased scrutiny from users, investors, and security experts.

For ALEX Lab specifically, the incident means a renewed focus on rebuilding user confidence, enhancing security protocols, and reinforcing governance practices. It may also slow down innovation and adoption temporarily as users remain cautious and competitors highlight the exploit as a warning.

Explore This Case Further On Our Wiki

The ALEX Lab Foundation, a non-profit driving DeFi innovation on Bitcoin, suffered a major security breach in June 2025 due to a critical flaw in its smart contract permission logic, allowing an attacker to exploit its vault system and steal over $16 million in assets. Despite recent audits, the vulnerability went undetected, highlighting shortcomings in both internal security and external review. ALEX Lab responded by suspending operations, launching a full investigation, and committing to fully reimburse affected users through a Treasury Grant Program.

AlexLab - Rekt II - Rekt News (Jun 11)
Alex Lab - "The attacker exploited a flaw in verification logic in the self-listing function by referencing a failed transaction, allowing a malicious token to bypass checks and transfer funds from liquidity pools. The core issue stems from a current on-chain limitation, specifically the inability to reliably detect failed transactions on Stacks." - Twitter/X (Jun 11)
Alex Lab - "Following the security exploit on June 6, 2025, ALEX Lab has launched a comprehensive Treasury Grant Program to provide financial support to users who lost funds in the incident. ALEX remains committed to supporting its community and helping users recover during this challenging time." - Twitter/X (Jun 11)
Terms and Conditions of ALEX Protocol Exploit Treasury Grant Program (2025) - Alex Lab (Jun 11)
Reubs BTC - "Hold on tight friends, Looks like @ALEXLabBTC has been hacked" - Twitter/X (Jun 11)
Crusader - "@ALEXLabBTC just got hacked 62 $BTC, 8M $STX, 119m $Alex , $1.7M USDT Not again" - Twitter/X (Jun 11)
Alex Lab - "We are aware of the malicious activities at ALEX. (Jun 11)
Our team is working around the clock to contain the situation and mitigate further impact." - Twitter/X (Jun 11)
Alex Lab - "USDC reimbursements have begun. All eligible participants will receive their allocations in the coming days, in line with the terms and conditions of the Treasury Grant Program" - Twitter/X (Jun 11)
Alex Lab - "The only link for TGP claim is: https://app.alexlab.co Double check domain is absolutely correct." - Twitter/X (Jun 11)
Alex Lab - "Using the ALEX Lab Foundation treasury, we will cover 100 % of each affected user’s loss, paid in USDC. To calculate each reimbursement, we will use the average of on-chain exchange rates taken between 10:00 UTC and 14:00 UTC on June 6, 2025." - Twitter/X (Jun 11)
The Exploit Transaction - Hiro.So Explorer (Jun 11)
Block With Exploit Transaction - Mempool.space (Jun 11)
Block With Exploit Transaction - Blockchain.com (Jun 11)
Alex Lab LinkTree (Jun 11)
Alex Lab Homepage (Jun 11)
https://x.com/ALEXLabBTC/status/1931014419133169734 (Jun 16)

More case studies

Mehdi Farooq Alex Lin Zoom
Phishing Drains Life Savings

Ether Finance Discord Season
5 Rewards Phishing Links