Alex Lab Vault Permission Flaw Labubu Token Transfer Drain
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The ALEX Lab Foundation, a non-profit driving DeFi innovation on Bitcoin, suffered a major security breach in June 2025 due to a critical flaw in its smart contract permission logic, allowing an attacker to exploit its vault system and steal over $16 million in assets. Despite recent audits, the vulnerability went undetected, highlighting shortcomings in both internal security and external review. ALEX Lab responded by suspending operations, launching a full investigation, and committing to fully reimburse affected users through a Treasury Grant Program.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]
About Alex Lab
The ALEX Lab Foundation is a non-profit organization committed to supporting the growth and governance of the ALEX decentralized finance (DeFi) protocol on the Bitcoin blockchain. Focused on advancing the future of Bitcoin-based DeFi, the foundation provides a suite of financial tools and services designed to bring decentralized trading, liquidity provision, staking, and token launches to users worldwide. With over $107 million in total value locked and more than $2.7 billion in transaction volume, ALEX demonstrates strong traction and an active user base exceeding 71,000 wallets.
The ALEX DeFi ecosystem offers a wide array of decentralized services. These include automated market maker (AMM) trading, staking options like farming and liquid staking, and cross-chain functionality through bridging. Additionally, ALEX features an order book secured by Bitcoin and a multichain launchpad for issuing and listing tokens across various blockchains. Users can stake assets for up to 9% APR while participating in campaigns and liquidity pools that generate consistent returns.
Backed by leading investors such as The Spartan Group, DWF Labs, and Trust Machines, ALEX Lab has gained significant recognition across media platforms like Bloomberg, CoinDesk, and Bitcoin Magazine. As a pivotal player in the emerging Bitcoin DeFi space, ALEX continues to build tools that empower users and developers alike to fully leverage decentralized finance on the world’s most secure blockchain.
The Reality
Alex Lab has unfortunately suffered a private key breach in the past, and many of the services offered are inherently risky due to their reliance on new technologies.
Despite recent audits by two professional security firms—Clarity Alliance and CoinFabrik—just weeks before the attack. Both firms completed their reviews by mid-May 2025, assessing the protocol’s AMM contracts, liquidity mechanics, and core functions. They flagged various issues, including calculation errors and math inconsistencies, but neither identified a core design flaw in the vault’s permission logic, which either fell completely outside the scope of the audits or was added after their completion.
What Happened
The ALEX Protocol exploit involved an attacker using a malicious token to abuse flawed vault permission logic, allowing them to drain the vault in a single action.
| Date | Event | Description |
|---|---|---|
| June 6th, 2025 2:24:31 AM MDT | Date Of Bitcoin Block | The reported time of the bitcoin block which includes the exploit transaction. |
| June 6th, 2025 2:28:09 AM MDT | Date Of Stacks Block | The reported time of the block on the stacks blockchain which includes the exploit transaction. |
| June 6th, 2025 4:00:00 AM MDT | Claimed Time Of Exploit | The time of exploit publicly claimed by Alex Lab in their grant program tweet. |
| June 6th, 2025 4:17:00 AM MDT | Reubs BTC Posts Tweet | Reubs BTC is credited as one of the first to notice the exploit based on Rekt News. |
| June 6th, 2025 4:28:00 AM MDT | Crusader BTC Tallies Losses | A Twitter user named Crusader tallies up the total amount lost. |
| June 6th, 2025 4:45:00 AM MDT | Alex Lab Is Now Aware | Alex Lab posts a notice that they are aware of the malicious activity and currently working on a plan. |
| June 6th, 2025 6:55:00 AM MDT | Alex Lab Further Details | Alex Lab posts additional details about the recent exploit, confirming that the incident was caused by a flaw in the verification logic of the self-listing function. The attacker used a failed transaction reference to bypass checks and drain liquidity pools—a vulnerability tied to a broader limitation in the Stacks blockchain's ability to detect failed transactions. The team is collaborating with security experts and partners to trace the attacker and assess the full impact. They promise A comprehensive post-mortem once the investigation concludes. |
| June 6th, 2025 9:09:00 AM MDT | Alex Lab Reimbursement | Alex Lab has confirmed that the June 6, 2025 exploit on the ALEX Protocol was caused by a flaw in the self-listing verification logic on the Stacks blockchain. This vulnerability allowed an attacker to drain multiple asset pools, resulting in a total loss of approximately $8.37 million across STX, sBTC, USDC/USDT, and WBTC. In response, ALEX Lab has committed to fully reimbursing all affected users in USDC, using average exchange rates from the time of the incident. |
| June 8th, 2025 7:27:00 AM MDT | Alex Lab Grant Program | The Alex Lab grant program is launched on Twitter/X. The newly introduced Treasury Grant Program offers financial compensation in the form of original tokens and USDC equivalents, covering losses in STX, sBTC, aBTC, and aUSD. With grant distribution set for completion by June 17, 2025, eligible users must connect their affected wallets, review individualized support packages, and accept the terms through the official ALEX Lab interface. This initiative reflects ALEX Lab’s commitment to its community and reinforces its dedication to recovery and resilience. |
| June 8th, 2025 9:56:00 AM MDT | Alex Lab Phishing Advice | Alex Lab provides an important security reminder for participants in the Treasury Grant Program including the only official claim link. Users are strongly advised not to connect to any other websites or trust individuals offering unsolicited help, Zoom links, or requests for remote access. Never share your seed phrase or enter it on any site. Even on ALEX’s official channels, always verify usernames and tags for authenticity. The ALEX team will never message users first, ask for passwords or seed phrases, or direct them to any site other than the one explicitly listed above. |
| June 10th, 2025 10:42:00 AM MDT | Alex Lab Reimbursement Update | Alex Lab issues an update on its Treasury Grant Program, confirming that USDC reimbursements are now underway for eligible users. Distributions are being processed according to the program’s terms, with recipients expected to receive their allocations in the coming days. Key updates include an improved claim page interface, the ability to claim locked LP tokens, and an extended submission deadline—now set for Friday, June 13, 2025, at 23:59 UTC. |
Technical Details
The attacker didn’t exploit a blockchain bug—they exploited ALEX’s reliance on automated token whitelisting and improperly scoped smart contract permissions. While Alex Lab framed the issue around broader infrastructure limitations, the real vulnerability was a misconfiguration of trust and control within their own protocol.
The recent exploit on ALEX Protocol was far more sophisticated—and damaging—than initially disclosed, with the real technical root stemming from weaknesses in ALEX’s own vault and permission systems, rather than a blockchain-level issue. While Alex Lab publicly attributed the exploit to an "on-chain limitation" of the Stacks blockchain—specifically, the inability to reliably detect failed transactions—the actual exploit took advantage of ALEX’s own smart contract architecture and token approval logic.
The attacker deployed a malicious token named ssl-labubu-672d3 with a custom, deceptive transfer function. By creating a legitimate-looking Labubu/STX liquidity pool, they were able to trigger ALEX's set-approved-token logic, which automatically granted permissions to the vault. The exploit escalated further when the attacker enabled farming by modifying the set-enable-farming flag—another function that should have been tightly controlled. This sequence gave the fake token the ability to interface with ALEX’s vault systems as if it were a trusted asset.
The actual drain occurred during a swap-x-for-y transaction. Due to how ALEX’s contracts used as-contract to call the token’s transfer function, the vault was misrepresented as the transaction origin. This allowed the malicious token’s code to execute transfers as if it were the vault itself, giving the attacker unrestricted access to withdraw assets. In a single transaction, the attacker emptied the vault—making off with over $16.18 million in STX, aBTC, sBTC, ALEX tokens, and sUSDT. Security researcher Nolan from Exvul later confirmed that this was not a failure of the Stacks blockchain, but a direct result of flawed permission logic and insufficient safeguards in ALEX’s vault design.
Total Amount Lost
The total affected asserts were reported by Alex Lab:
• 8,403,867.57 STX • 21.85 sBTC • 149,850.00 aUSD • 2.80 aBTC
STX: 8,403,867.57 STX → $ 5,691,255.93 sBTC: 21.85 sBTC → $ 2,244,751.87 USDC/USDT: 149,850 USDC/USDT → $ 149,850.00 WBTC/BTC: 2.80 WBTC → $ 287,369.33 Total USD Value Lost: $ 8,373,227.13
The total amount lost has been estimated at $16,180,000 USD.
Immediate Reactions
Reubs BTC was one of the first to note and publicly report the hack on Twitter/X. The user Crusader tallied up the total losses.
A post shortly thereafter by Alex Lab acknowledged the malicious activity. Alex Lab claimed their team was immediately taking action to contain the threat and prevent further damage. The team was described as working continuously and having temporarily suspended all platform operations to protect users. They reported actively collaborating with centralized exchanges to trace and potentially recover the stolen funds. ALEX Lab noted they were committed to transparency and planned to release a full post-mortem once investigations are complete.
Ultimate Outcome
Alex Lab has promised to reimburse all affected users through a new grant program. ALEX Lab launched a comprehensive Treasury Grant Program to fully reimburse affected users, committing to cover 100% of losses in USDC. They also paused the self-listing function and began a thorough security review while collaborating with security partners to trace the attacker and assess the full scope of the damage. Despite the setback, ALEX Lab emphasized transparency and user support, issuing detailed updates and expanding claim deadlines to ensure all victims could recover their funds.
Total Amount Recovered
Alex Lab has offered affected users a recovery under the following terms:
STX Holdings
• 100% coverage in USDC • Exchange rate: 0.68 USDC per STX
sBTC Holdings
• 100% coverage in aBTC • Exchange rate: 1 aBTC per sBTC
aBTC Holdings
• 75% returned as aBTC (original token) • 25% converted to USDC at 102,734 USDC per aBTC
aUSD Holdings
• 91% returned as aUSD (original token) • 9% converted to USDC at 1.00 USDC per aUSD
This recovery is available to all non-US citizens, non-sanctioned individuals, subject to complex legal terms.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
The ALEX Protocol exploit continues to ripple through the DeFi community and the broader Bitcoin ecosystem. Trust in the protocol has been shaken, leading to increased scrutiny from users, investors, and security experts.
For ALEX Lab specifically, the incident means a renewed focus on rebuilding user confidence, enhancing security protocols, and reinforcing governance practices. It may also slow down innovation and adoption temporarily as users remain cautious and competitors highlight the exploit as a warning.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ AlexLab - Rekt II - Rekt News (Accessed Jun 11, 2025)
- ↑ Alex Lab - "The attacker exploited a flaw in verification logic in the self-listing function by referencing a failed transaction, allowing a malicious token to bypass checks and transfer funds from liquidity pools. The core issue stems from a current on-chain limitation, specifically the inability to reliably detect failed transactions on Stacks." - Twitter/X (Accessed Jun 11, 2025)
- ↑ Alex Lab - "Following the security exploit on June 6, 2025, ALEX Lab has launched a comprehensive Treasury Grant Program to provide financial support to users who lost funds in the incident. ALEX remains committed to supporting its community and helping users recover during this challenging time." - Twitter/X (Accessed Jun 11, 2025)
- ↑ Terms and Conditions of ALEX Protocol Exploit Treasury Grant Program (2025) - Alex Lab (Accessed Jun 11, 2025)
- ↑ Reubs BTC - "Hold on tight friends, Looks like @ALEXLabBTC has been hacked" - Twitter/X (Accessed Jun 11, 2025)
- ↑ Crusader - "@ALEXLabBTC just got hacked 62 $BTC, 8M $STX, 119m $Alex , $1.7M USDT Not again" - Twitter/X (Accessed Jun 11, 2025)
- ↑ Alex Lab - "We are aware of the malicious activities at ALEX. (Accessed Jun 11, 2025)
- ↑ [Our team is working around the clock to contain the situation and mitigate further impact." - Twitter/X Our team is working around the clock to contain the situation and mitigate further impact." - Twitter/X] (Accessed Jun 11, 2025)
- ↑ Alex Lab - "USDC reimbursements have begun. All eligible participants will receive their allocations in the coming days, in line with the terms and conditions of the Treasury Grant Program" - Twitter/X (Accessed Jun 11, 2025)
- ↑ Alex Lab - "The only link for TGP claim is: https://app.alexlab.co Double check domain is absolutely correct." - Twitter/X (Accessed Jun 11, 2025)
- ↑ Alex Lab - "Using the ALEX Lab Foundation treasury, we will cover 100 % of each affected user’s loss, paid in USDC. To calculate each reimbursement, we will use the average of on-chain exchange rates taken between 10:00 UTC and 14:00 UTC on June 6, 2025." - Twitter/X (Accessed Jun 11, 2025)
- ↑ The Exploit Transaction - Hiro.So Explorer (Accessed Jun 11, 2025)
- ↑ Block With Exploit Transaction - Mempool.space (Accessed Jun 11, 2025)
- ↑ Block With Exploit Transaction - Blockchain.com (Accessed Jun 11, 2025)
- ↑ Alex Lab LinkTree (Accessed Jun 11, 2025)
- ↑ Alex Lab Homepage (Accessed Jun 11, 2025)
- ↑ https://x.com/ALEXLabBTC/status/1931014419133169734 (Accessed Jun 16, 2025)