AlexLab (Bitcoin DeFi / Stacks): Vault permission hijack via malicious token self-listing; `as-contract` context abuse

Summary #

AlexLab (Bitcoin DeFi / Stacks) suffered a DEX / AMM on 2025-06-06, resulting in a loss of approximately $16M.

What happened #

AlexLab lost $16M when an attacker deployed a fake token, used the protocol's own permissionless listing feature to gain vault-level access, then drained every asset in one transaction by exploiting Stacks' `as-contract` context shift.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N** — the live `amm-vault-v2-01` that was drained was explicitly outside the May 2025 audit scope] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N** — the live `amm-vault-v2-01` that was drained was explicitly outside the May 2025 audit scope] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code** — exploited contract was not in audit scope]
• RD-F-046 — related : ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
• RD-F-072 — causal : Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
• RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
• RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
• RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]