ALEX Lab to Fully Reimburse Users After $8.3M Exploit as Token Drops 45%

DeFi protocol ALEX Lab, built on the Stacks blockchain, has pledged to fully reimburse users affected by a recent $8.3 million exploit—its second major security breach in just over a year.

In a statement shared on X (formerly Twitter), ALEX Lab confirmed that the attack exploited a flaw in its self-listing feature. The vulnerability allowed a malicious actor to bypass transaction verification, enabling unauthorized withdrawals from liquidity pools. The exploit took advantage of a limitation in the Stacks ecosystem: its inability to reliably detect failed transactions on-chain.

“This core issue stems from a current on-chain limitation,” the team explained, noting that this blind spot in transaction validation opened the door to the attack.

Following the breach, ALEX Lab’s native token, $ALEX, plummeted by 45% in under 24 hours, according to data from CoinGecko. The token’s steep decline reflects market concern over security and trust in the protocol, which had already suffered a separate $4.3 million hack in May 2024.

That earlier breach stemmed from a phishing attack that compromised private keys—a tactic commonly linked to the North Korea-backed Lazarus Group. At the time, ALEX Lab coordinated with centralized exchanges to freeze some of the stolen funds and later distributed protocol revenue to affected users via a governance DAO vote.

Despite those recovery efforts, some assets remain unrecovered. In a recent update, ALEX Lab said that eight out of 15 centralized exchanges (CEXs) have returned funds so far, with negotiations continuing with the remaining seven. “We expect further recoveries in Q2,” the team stated.

As for the latest incident, ALEX Lab is tapping into its treasury to make users whole. Impacted users must complete a claim form by June 10 to be eligible for full reimbursement. Notifications are being sent individually.