ALEX

ALEX Protocol Hack — June 6, 2025

The Exploit

On June 6, 2025, ALEX Protocol was exploited via a flaw in the self-listing verification logic (an on-chain limitation on Stacks). The root cause was failed access controls within the project's vault system.

Technical Details

The attacker deployed a malicious token named ssl-labubu-672d3, which contained a deceptive transfer function within its smart contract, and subsequently set up a liquidity pool pairing this malicious token with legitimate assets such as Stacks (STX).

Losses

The ALEX Lab hack involved $8.3M in losses (initial public estimate). The total loss was estimated at approximately $8.37 million USD, though additional reports indicated losses could be as high as $16.18 million when including stolen aBTC, STX, sUSDT, and ALEX tokens.

Response and Reimbursement

The ALEX Lab Foundation committed to fully reimbursing all affected users in USDC, using its treasury reserves, with reimbursement amounts based on the average on-chain exchange rates recorded between 10:00–14:00 UTC on June 6, 2025. Affected users received on-chain notifications regarding claim submissions by June 8, 2025, and claims were required to be submitted by June 10, 2025, with reimbursements distributed within seven business days after verification.

Sources

• https://www.halborn.com/blog/post/explained-the-alex-protocol-hack-june-2025

• https://www.cryptotimes.io/2025/06/07/alex-protocol-loses-8-37m-in-hack-due-to-security-flaw/

• https://www.bitcoinsensus.com/news/alex-protocol-8-37m-exploit/

• https://www.guardrail.ai/blog/alex-protocol-hack-june-2025

• https://themerkle.com/alex-protocol-suffers-8-37m-exploit-launches-full-compensation-plan-for-affected-users/

• https://ambcrypto.com/stacks-stx-down-31-after-alex-protocol-exploit-details/

• https://unchainedcrypto.com/alex-lab-to-reimburse-users-after-8-3m-exploit/