In June 2025, Alex Lab, the Stacks-based “Bitcoin finance layer,” suffered a significant hack. The total stolen and the list of lost assets vary from one report to another — $8.3M vs. $16.18M, as does the official root cause.
Inside the Attack
According to the official report, the Alex Lab hack involved $8.3M in losses and was caused by the inability to identify failed transactions on the Stacks blockchain. However, the root cause of the incident was actually failed access controls within the project’s vault system.
The attacker began by creating a fake token — ssl-labubu-672d3 — that included a malicious transfer function within its smart contract. The attacker created a Labubu/STX pool and called set-approved-token, which caused Alex Lab to grant the smart contract vault permissions. With this access, the attacker was able to change the set-enable-farming flag within Alex Lab, which enabled the malicious contract’s transfer function.
When a swap-x-for-y call is performed, the Alex Lab contract will call the fake transfer function within the malicious token contract. It does so using as-contract, which makes it appear that the vault is the caller instead of the target contract. This bypasses the access controls within Alex Lab, allowing the attacker to drain tokens stored within the smart contract.
In the wake of the hack, Alex Lab has offered a full reimbursement of the stolen funds based on its official inventory of losses. However, this list doesn’t include all of the tokens stolen in the hack, including the aBTC and ALEX tokens transferred during the malicious transaction, which brings the total losses up to $16.18M.
Lessons Learned from the Attack
The root cause of the ALEX protocol hack was failed access controls. The attacker was able to deploy a token that received vault-level permissions. When the Alex Lab contract called the token’s transfer function with as-contract, it made it appear that the caller was the Alex Lab contract, not the token contract. Swapping roles allowed the attacker to bypass access controls and drain the contract.
The Alex Lab hack demonstrates the importance of performing a smart contract audit on all code before it is deployed on-chain. While the project recently underwent audits for some of its new features, the existing code exploited by the attacker wasn’t in scope, so the vulnerability was overlooked.
An effective smart contract security program considers all potential threats to the project, on-chain and off-chain. To learn more about securing your project against top DeFi threats, get in touch with Halborn.