Two separate exploits struck decentralized finance in quick succession, resulting in combined losses exceeding $850,000. The incidents targeted a custom token contract on BNB Chain and the cross‑chain infrastructure of the Alephium network, exposing persistent vulnerabilities in DeFi security.
DTXT/USDT Pool Exploit on BNB Chain
Blockchain security firm PeckShield identified a smart contract flaw in the DTXT token that allowed an attacker to drain approximately $35,041 from its USDT liquidity pool on BNB Chain. The vulnerability originated in the contract’s logic for distinguishing between swap transactions and liquidity additions. By comparing its own USDT balance with the pool’s deposited USDT, an attacker could manipulate the check. The exploiter sent a tiny amount of USDT directly to the trading pair’s contract, causing a large sell order of DTXT to be misclassified as a liquidity addition — bypassing the transaction fee that would normally apply to a sell. To amplify the attack, the exploiter took out a 1,077,400 USDT flash loan from the Moolah lending protocol, using the borrowed capital to distort the pool’s state and capture a quick profit. This case highlights how even a subtle logical error in a custom token’s code can be weaponized with the help of uncollateralized flash loans.
Alephium Bridge Guardian Key Compromise
Security firm Blockaid reported that the Alephium token bridge was exploited for roughly $815,000 after an attacker managed to compromise three of the four guardian keys that secure cross‑chain transactions. These multi‑signature keys are required to sign Verification of Asset Authenticity (VAA) messages before any transfer can be authorized. By gaining control of three keys — exactly the required threshold — the attacker forged a VAA message and drained assets from the bridge’s liquidity pools. Unlike a smart contract bug, this breach targeted operational key management, shifting the focus from code auditing to validator security practices. The Alephium team swiftly paused the bridge and launched an investigation. The native ALPH token experienced a moderate price decline amid broader concerns about cross‑chain bridge safety.
Implications for DeFi Security
Both incidents, though modest in absolute dollar terms compared to past mega‑hacks, underscore critical lessons. The DTXT exploit demonstrates that custom integration logic — especially balance checks and fee‑bypass mechanisms — must undergo rigorous auditing. The Alephium bridge attack reinforces long‑standing warnings that concentrated validator key sets remain a prime attack vector for cross‑chain protocols. With over $2 billion lost to bridge exploits since 2021, the industry faces growing pressure to adopt more resilient key distribution and monitoring systems.
