Alex Lab, a Bitcoin DeFi project, recently suffered a severe security breach resulting in the theft of $4.3 million. The primary cause of the exploit was the compromise of a private key, which allowed the attacker to gain unauthorised access to a vault.
The attacker used phishing as attack vector to steal the project's private keys, which granted them administrative access to an ALEX liquidity pool vault. This access enabled the hacker to steal approximately $300,000 worth of Bitcoin, $3.3 million in stablecoins, and $75,000 worth of Sugar Kingdom (SKO) tokens. In response, Alex Lab proposed offering the hacker a 10% reward in exchange for the return of 90% of the stolen funds.
This breach underscores the vital importance of robust private key management and enhanced security measures within DeFi projects that go beyond smart contract audits. The root cause was the phishing attack that led to the private key compromise, highlighting the need for Web3 to expand it's security horizons and start looking at security with a more comprehensive approach.