Bitcoin DeFi project ALEX exploited again, aBTC depegs

Just over a year after a suspected private key hack, “Bitcoin DeFi” platform ALEX Protocol has been exploited again, this time with losses estimated at $14 million.

The team initially announced a security incident, following reports of a hack circulating on X, before later publishing a more detailed incident report. The project’s website remains “under maintenance.”

Notice: Incident Report on Recent Exploit

ALEX Protocol recently experienced an exploit that led to a partial loss of funds. We were able to detect and contain the attack early, minimizing further impact.

The attacker exploited a flaw in verification logic in the self-listing…

— ALEX 🟧 No. 1 Bitcoin DeFi (@ALEXLabBTC) June 6, 2025

Read more: At least $25M lost across three incidents in busy day for crypto hackers

The report points to an issue with correctly identifying failed transactions on Stacks, a DeFi-focused layer two scaling solution for the Bitcoin network.

This allowed the attacker to bypass checks using data from a failed transaction and withdraw the funds.

The “partial loss of funds” amounts to an estimated $14 million, according to crypto security firm QuillAudits.

Amongst the tokens stolen was 63.5 wrapped bitcoin (aBTC and sBTC). Crypto price tracking website CoinGecko shows sBTC as trading significantly off-peg, though this may be due to a feed that incorporates other tokens, including ALEX.

A Stacks representative provided a link to the DIA Oracle feed, showing sBTC on-peg.

Similarly, the value of Stacks’ STX is down approximately 10% on the day, and the platform’s own ALEX token is down over 50%. 

Other Stacks-based projects have confirmed that the exploit is contained to the ALEX Protocol, but Pontis has paused its bridge to contain funds within the network, and Bitflow, Stacks’ exchange aggregator, is removing the affected pools from its routes.

What is Stacks and does it really serve as DeFi for Bitcoin?

Read more: Fake crypto wallet in App Store for four years drained $120K in Stacks

Last May, in what Certik suspected was a private key compromise, $4.3 million was removed from ALEX Protocol’s XLink bridge connecting the project to Binance’s BNB Chain.

Despite the security upgrades and the migration of exchange and token contracts that followed, the changes have apparently proved insufficient to prevent today’s far more costly attack.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.

Edit 21:30 UTC, June 6: Updated piece to reflect confusion around sBTC’s apparent depeg.