Blockaid

Based on additional information from our investigation and the Alephium team's analysis, the exploit does not appear to have involved a compromise of guardian private keys. Instead, it appears to have involved an exploit that allowed forged malicious events/messages to be observed and signed by guardians. We look forward to the Alephium team's forthcoming postmortem for additional technical details.

🚨Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in 🧵

The StakeDAO deployer private key (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) was compromised. The attacker used it to reconfigure the LayerZero v2 OFT peer on the vsdCRV (Vote Boosted sdCRV) token contract, redirecting trust from the legitimate Ethereum-side vsdCRVOFTAdapter to an attacker-deployed malicious contract - then sent a forged cross-chain message that minted 5,446,744,073,709 vsdCRV (~5.4 trillion tokens).

Suspected root cause: SquidRouterModule executeSameChainActions() vulnerability. Attacker deployed Foundry-based exploit contracts that called the module's DelegateBundler path to impersonate authorized delegates on victim Safes. This allowed executing arbitrary Uniswap V3 swaps from each Safe, swapping real assets for a worthless attacker-deployed token ("u", max supply, 42 holders). Attacker pre-seeded Uniswap V3 pools pairing "u" against target tokens, removed liquidity post-drain, and converted all proceeds to 3.07M DAI.

🔎 Suspected root cause - TL;DR The bridge authenticates cross-chain message retries with keccak256(abi.encodePacked(...)) over four consecutive dynamic-bytes fields (initiator, from, to, swapData). abi.encodePacked has no length prefixes, so the field boundaries aren't encoded - different field allocations can pack to the identical byte string and therefore the identical keccak. The attacker: 1) Originated a real, oracle-multisig-signed MAP→ETH message to a precomputed CREATE address. Destination had no code yet → bridge cached a "NotContract" retry commitment. 2) Deployed the exploit contract at that exact address. 3) Called retryMessageIn with rearranged bytes-field boundaries that pack to the IDENTICAL 601-byte string as the planted message → same keccak → guard passes → bridge mints 10^15 MAPO (~4.8M× supply) to attacker. Not a key compromise, not a light-client bug, not a MAPO bug. Pure Solidity abi.encodePacked footgun on multiple dynamic-bytes fields.