Alephium TokenBridge Exploited for $815,000 After Three Guardian Keys Were Compromised
Alephium disputes early claims of guardian key compromise, stating the $815,000 TokenBridge exploit stemmed from an offchain backend vulnerability that enabled unauthorized wrapped ALPH minting and asset withdrawals across Ethereum and BNB Chain.
Alephium TokenBridge was exploited for about $815,000 after attackers minted 13.76 million wrapped ALPH from forged transactions and drained assets across Ethereum and BNB Chain. Blockaid initially reported that three of four guardian keys had been compromised, allowing forged VAA messages and a roughly seven-minute attack, but Alephium later disputed that account and said the exploit was caused by an offchain backend vulnerability triggered in specific edge cases. Alephium said the stolen assets included 200,967 USDT, 17,594 USDC, 5.18 WETH, and 0.335 WBTC on Ethereum, plus 36,750 USDT and 24.386 WBNB on BNB Chain. The project shut down the bridge, warned liquidity providers to withdraw from ALPH pools on Uniswap and PancakeSwap, and said additional liquidity could help the attacker realize value from the unauthorized wrapped ALPH.
- VAA: A verified action approval, or signed cross-chain message, used by a bridge to authorize transfers or other actions between networks.
- Wrapped ALPH: A bridged version of ALPH minted on another blockchain to represent ALPH locked or referenced through the bridge.
- WBNB: Wrapped BNB, a tokenized version of BNB used in smart contract applications on BNB Chain.