The Web3 you were promised. A high-performance Layer 1 PoW network enabling scalable, easy to use and aligned crypto applications. No tradeoffs.
Joined September 2018
- Tweets 9,092
- Following 477
- Followers 50,790
- Likes 7,856
1,675 Photos and videos
🏆⚽️ World Cup 2026 is here and we're celebrating with @Tangem!
Up for grabs:
- 3x Limited Tangem "Soccer Edition" hardware wallets
- A share of $200 in USDT rewards
To enter:
→ Follow @Alephium & @Tangem here on X
→ Describe the team you're rooting for at the WC26 - no country names, just vibes (e.g. 🇨🇭🧀🏔️)
→ Tag @Alephium & @Tangem 2 friends
→ Fill out the form at forms.gle/37SaGHifZnaebuS88
Final whistle: June 20th.
Good luck!
55
47
100
8,526
March to Mainnet 12/06 🏃
This week, our Core Contributors have been pushing Powfi closer toward mainnet, maintaining key Alephium infrastructure, and continuing Bridge audit and remediation work in parallel.
We are working to relaunch an improved Bridge as soon as possible, once all relevant measures are complete.
Here’s your weekly dev update:
<Powfi>
💥 Continuing internal smart contract audit work
💥 Finalising the referral system design proposal
💥 Completed Powfi and Crowdin integration
💥 Fixed Powfi SDK npm homepage GitHub URLs
<Backend>
⚙️ Upgrading all Alephium dependencies
⚙️ Running a full audit of the entire codebase
⚙️ Reducing Explorer Backend database size
⚙️ Improving node WebSocket support
<Wallets>
✅ Hardened in-app browser security
✅ Team sync on Explorer Backend data validity
✅ Improved transaction sending speed across both wallets
✅ Submitted mobile wallet v2.5.1 to both app stores, including:
1️⃣ Improved cold start performance
2️⃣ Improved perceived transaction confirmation speed
3️⃣ Fixed spinner animation position on data refresh
<Misc>
📸 Took snapshots of all wALPH holder addresses and LP providers on Uniswap and PancakeSwap
📚 Researched referral program designs, contract requirements, key considerations, and integration needs for channel partners (see the Powfi update from earlier this week)
🔎 Reviewed current grant applications
⬆️ Upgraded Alphland nodes
🔒 Researched improvements to security monitoring for the Alphland Alert System
🙅 Removed /admin path from production website
Our conviction and resilience are rock solid.
Alephium’s core contributors have continued to deliver through all of it, and that has not gone unnoticed by the community. Your continued support is priceless 👏
Keep an eye out for upcoming Bridge and Powfi updates.
More to come.
10
18
58
1,600
Bridge Exploit Update
Work on bridge remediation progresses.
Over the past few days, the team has been focused on reviewing, testing, and hardening the updated bridge infrastructure. We are currently finalizing our internal review and preparing for an additional external security review before relaunching the bridge.
In parallel, we are reviewing the broader bridge architecture and identifying additional improvements. Our intention is to further strengthen the system beyond the specific vulnerability involved in this incident.
As of today, relaunching the bridge remains our preferred recovery path for affected users. We currently believe this is the fastest and most straightforward way to allow legitimate wrapped ALPH (wALPH) holders to redeem their assets, while also supporting the broader recovery process. This approach remains subject to the outcome of the ongoing reviews.
On the investigation side, following coordination with legal counsel, a criminal complaint has now been formally filed with the competent prosecutor's office in Switzerland. We also continue to cooperate with security and investigation partners regarding asset tracing and recovery efforts.
We will continue sharing updates during this process.
5
13
69
2,302
Powfi is getting a codebase upgrade introducing the B2B2C partner integration framework built on the ALPH Staking Layer, enabling integration partners to offer ALPH staking to their users and earn a commission through an on-chain referral system.
x.com/alephium/status/206217…
Powfi Update 💥
Following very positive discussions with several partners, the Powfi codebase has been upgraded to support direct integrations with our $ALPH Staking Layer through a referral-based framework.
How it works:
Traditional B2C Workflow
▪️ A user holds ALPH
▪️ Connects their wallet to Powfi
▪️ Stakes their ALPH
▪️ User starts earning rewards
New B2B2C Partner Workflow
▪️ An integration partner offers ALPH staking to its users
▪️ The yield offered is the same as staking natively on Powfi
▪️ Staking is attributed to the partner via an on-chain referral tag
▪️ ALPH is staked via the Powfi Staking Layer
▪️ The partner earns a commission
One example from our recent discussions is a mining pool offering ALPH Staking to its users.
Other potential integration partners include: wallets, centralized exchanges, and of course dApps.
This is how the Powfi staking layer scales and maximizes locked circulating supply, strengthening $ALPH and the broader ecosystem.
We'll share more updates as these conversations progress and integrations begin to materialize.
2
1
29
1,408
A full technical breakdown of how the burn was executed was published walking through the technical process behind how the attacker's wALPH was burned, including the guardian coordination process.
x.com/alephium/status/206253…
🧵How the Attacker's wALPH Was Burned
“As part of the bridge incident remediation, the bridge guardians, with support from our security partners, executed an authorized recovery procedure to invalidate the unbacked wrapped ALPH held in the attacker's wallet.”
The Bridge Guardians coordinated through the bridge’s multi-signature governance mechanism to temporarily upgrade the bridge’s wrapped asset contract implementation.
This temporary implementation introduced functionality that allowed the attacker-controlled unbacked wALPH to be permanently burned. Immediately after execution of the burn, the contract was reverted to its original implementation.
This action required approval from the full Guardian set, which is why the process took several days to organize and execute. Note that the guardians are separate and independent from each other.
Alephium’s bridge wrapped asset contracts, like those used by many cross-chain bridge systems, are deployed behind upgradeable proxy contracts. This architecture allows contract implementations to be modified through Guardian-approved governance actions when required.
It is important to note that the burn capability used in this remediation did not exist in the bridge’s normal operating implementation. It was introduced through a temporary governance-approved upgrade specifically to remediate the unbacked supply created by the exploit and was rolled back once the action was completed.
This approach has precedent in previous DeFi security incidents.
Following the pxETH exploit involving Yearn Finance, unbacked tokens were invalidated by the token issuer directly from the attacker's wallet.
After the Echo Protocol incident, attacker-controlled eBTC was burned once administrative control had been recovered.
The tokens burned in our case were exclusively the unbacked wALPH that remained in the attacker’s wallet at the time of the action. Any wALPH that had already left the attacker’s wallet prior to the burn was not affected.
The recovery action was intentionally limited to assets that remained under the attacker’s direct control and did not affect third-party holders who acquired wALPH through ordinary market activity without involvement in the exploit.
The action had no effect on assets held by legitimate users and did not affect any assets on the Alephium Layer 1 blockchain.
The bridge itself remains disabled while remediation, review, and security assessment work continue.
1
24
1,023
🧵How the Attacker's wALPH Was Burned
“As part of the bridge incident remediation, the bridge guardians, with support from our security partners, executed an authorized recovery procedure to invalidate the unbacked wrapped ALPH held in the attacker's wallet.”
The Bridge Guardians coordinated through the bridge’s multi-signature governance mechanism to temporarily upgrade the bridge’s wrapped asset contract implementation.
This temporary implementation introduced functionality that allowed the attacker-controlled unbacked wALPH to be permanently burned. Immediately after execution of the burn, the contract was reverted to its original implementation.
This action required approval from the full Guardian set, which is why the process took several days to organize and execute. Note that the guardians are separate and independent from each other.
Alephium’s bridge wrapped asset contracts, like those used by many cross-chain bridge systems, are deployed behind upgradeable proxy contracts. This architecture allows contract implementations to be modified through Guardian-approved governance actions when required.
It is important to note that the burn capability used in this remediation did not exist in the bridge’s normal operating implementation. It was introduced through a temporary governance-approved upgrade specifically to remediate the unbacked supply created by the exploit and was rolled back once the action was completed.
This approach has precedent in previous DeFi security incidents.
Following the pxETH exploit involving Yearn Finance, unbacked tokens were invalidated by the token issuer directly from the attacker's wallet.
After the Echo Protocol incident, attacker-controlled eBTC was burned once administrative control had been recovered.
The tokens burned in our case were exclusively the unbacked wALPH that remained in the attacker’s wallet at the time of the action. Any wALPH that had already left the attacker’s wallet prior to the burn was not affected.
The recovery action was intentionally limited to assets that remained under the attacker’s direct control and did not affect third-party holders who acquired wALPH through ordinary market activity without involvement in the exploit.
The action had no effect on assets held by legitimate users and did not affect any assets on the Alephium Layer 1 blockchain.
The bridge itself remains disabled while remediation, review, and security assessment work continue.
11
18
68
4,817
On Decentralization and immutability
Governance actions and decentralization are often discussed as though they are incompatible concepts, when in reality, decentralization and immutability are distinct properties.
A decentralized system can still change state when the relevant participants reach the required level of consensus. The defining question is not whether a change is possible, but who is authorized to approve that change and what consensus threshold must be met.
Bitcoin, Ethereum, Alephium, and other decentralized networks have all coordinated protocol changes throughout their histories.
Network upgrades, hard forks, and governance actions are all examples of decentralized participants collectively agreeing to modify a system’s state or rules.
The Ethereum DAO fork is perhaps the most widely known example of a highly decentralized network coordinating a state change in response to an exploit. The Ethereum community reached consensus around a protocol change that effectively invalidated the outcome of the attack and restored the affected funds.
The same principle applies here.
The action was not the result of a unilateral administrative decision. The Bridge Guardians collectively approved a temporary upgrade that enabled the unbacked wALPH remaining in the attacker’s wallet to be burned. Approval from the full Guardian set was required.
The bridge governance model differs from that of a Layer 1 blockchain and relies on a substantially smaller guardian set. This governance structure is similar to that used by many cross-chain bridge systems, where upgrades require approval from the designated guardians or validators responsible for securing the bridge.
1
8
36
1,137
Smart Contract Assets and Native Assets
This remediation action also highlights an important architectural distinction between smart contract-managed assets and native protocol assets.
The remediation action described above was possible because wALPH exists as a smart contract-managed asset on Ethereum. Like most assets on Ethereum, ownership and balances are ultimately defined by contract state rather than by the Ethereum protocol itself.
Depending on how a token is designed, contract administrators may have the ability to freeze assets, blacklist addresses, destroy tokens, upgrade contract logic, or introduce new functionality through governance processes.
In some cases, these capabilities are built into the contract from the outset, while in others, they can be introduced through an upgrade if the contract architecture permits it.
Well-known examples include centralized stablecoins such as USDT, where issuers maintain the ability to freeze or blacklist addresses under certain circumstances.
The governance requirements for such actions vary significantly. Some systems require broad multi-party consensus, while others can be controlled by a much smaller set of administrators.
The bridge remediation described in this report required approval from the full Guardian set before the temporary upgrade could be executed.
Native Alephium assets operate differently.
ALPH and all native Alephium-issued tokens are first-class protocol assets recorded directly by the blockchain's UTXO model rather than balances maintained by a smart contract.
As a result, their ownership cannot be modified through a contract upgrade, administrative function, or by changing or removing the code that originally issued them.
Achieving an equivalent outcome for a native Alephium asset would require a protocol-level network upgrade with broad ecosystem consensus, rather than a change to an individual application or contract.
This architectural distinction is one of the key differences between Alephium's asset model and the asset model used by EVM-based chains.
As native Alephium assets are first-class protocol objects rather than balances managed by application-level contracts, they deliver significantly stronger guarantees that ownership and transfer rules cannot be altered at the application level. This substantially reduces this category of governance and smart contract risk.
Alephium supports both models. Developers can issue native first-class assets directly at the protocol level, or create smart contract-managed assets when additional functionality, programmability, or administrative controls are required by the application.
The investigation and remediation process remains ongoing. Further updates will follow.
Thank you for your support.
1
4
28
814
Bridge Update
The unauthorized wrapped ALPH held in the attacker's wallet was burned yesterday. 500,000 unbacked wrapped ALPH had already been sold on Uniswap prior to the burn. Alephium will supply the native ALPH required to back these tokens.
For users affected by the drained bridge assets, we remain committed to making them whole and are working on the best path forward.
Following the burn, the most likely path forward is now a relaunch of bridge operations. We currently believe this is the fastest, safest, and simplest solution. Once the bridge is safely restored, users would be able to redeem through the bridge as originally intended. A separate redemption process for wALPH holders remains a fallback option if needed.
The vulnerability has been fixed. We're conducting extensive review and security assessments before any relaunch, as we prioritize security over speed.
This is our most likely path, though it may evolve as reviews progress.
Full postmortem and further updates to follow.
7
6
65
2,544
Powfi Update 💥
Following very positive discussions with several partners, the Powfi codebase has been upgraded to support direct integrations with our $ALPH Staking Layer through a referral-based framework.
How it works:
Traditional B2C Workflow
▪️ A user holds ALPH
▪️ Connects their wallet to Powfi
▪️ Stakes their ALPH
▪️ User starts earning rewards
New B2B2C Partner Workflow
▪️ An integration partner offers ALPH staking to its users
▪️ The yield offered is the same as staking natively on Powfi
▪️ Staking is attributed to the partner via an on-chain referral tag
▪️ ALPH is staked via the Powfi Staking Layer
▪️ The partner earns a commission
One example from our recent discussions is a mining pool offering ALPH Staking to its users.
Other potential integration partners include: wallets, centralized exchanges, and of course dApps.
This is how the Powfi staking layer scales and maximizes locked circulating supply, strengthening $ALPH and the broader ecosystem.
We'll share more updates as these conversations progress and integrations begin to materialize.
9
25
98
4,511
Bridge Update
Today, we continued work across multiple recovery and investigation tracks.
▪️As part of the bridge incident remediation, the bridge guardians, with support from our security partners, executed an authorized recovery procedure to invalidate the unbacked wrapped ALPH held in the attacker's wallet. This action applied exclusively to unauthorized wrapped ALPH created through the exploit and held by the attacker. It did not affect native ALPH, legitimately backed wrapped ALPH held by users, or addresses that unknowingly acquired unbacked wrapped ALPH through trading activity following the exploit. It also did not affect the Alephium L1 consensus rules. Removing these exploit-created assets from the attacker's control is an important step in the ongoing recovery and remediation process.
▪️ We are advancing the recovery path for legitimate wrapped ALPH holders and have identified all eligible holders via snapshot.
▪️We are confirming the addresses of liquidity providers affected by the exploit, including LPs currently providing liquidity on Uniswap and PancakeSwap, as well as addresses that unknowingly traded against the attacker's transactions.
▪️We have submitted an incident report to Switzerland's National Cyber Security Centre (NCSC) and are coordinating with the relevant law enforcement authorities.
▪️We continue to work closely with @Blockaid_, @SEAL_911, and other investigation partners to trace assets and assess possible recovery opportunities.
▪️In parallel, work continues on the bridge recovery plan, technical remediation, legal and criminal investigation efforts, and the preparation of the full postmortem.
▪️Below, we have published a comprehensive on-chain analysis covering the exploit timeline, affected transactions, fund movements, and the current location of the drained assets.
Read the on-chain report here: alephium.org/news/post/the-a…
We will share further updates as the situation develops.
7
16
66
7,441
Bridge Update
Over the past 48 hours, the team has been working around the clock on recovery, remediation, investigation, and the future of the bridge.
With regards to legitimate wALPH and corresponding native ALPH: the exact technical implementation for recovery of funds is still being evaluated and depends on several factors. Regardless of the implementation chosen, the objective remains the same: legitimate holders will be able to recover their ALPH, while assets illegitimately created through the exploit will not benefit from the recovery process.
We continue to work with security and investigation partners to trace the drained assets and assess possible recovery opportunities and we are grateful for their ongoing support.
At the same time, we are initiating coordination with legal counsel, relevant authorities, and law enforcement regarding the incident.
Further updates will be shared throughout the week as work progresses.
15
12
65
4,180
While we continue working on the full postmortem, we would like to share some additional information about the attack.
The attacker did not succeed with their first attempts. Prior to the successful exploit, multiple malicious attempts were rejected by the bridge's standard validation workflow.
Our investigation indicates that the attacker later combined the backend vulnerability with an eclipse-style attack against the P2P network. This disrupted affected full nodes and triggered a fallback workflow within the bridge backend. The vulnerable logic existed within this fallback path and was subsequently exploited.
The exploit remains fully contained. The bridge was shut down immediately after the incident was identified, and the exploit path is no longer available.
We will provide the complete technical details, timeline, and remediation measures in the full postmortem.
1
8
37
1,791
Important Reminder 🚨
There are accounts impersonating Alephium, our team, and our moderators across all social media channels.
We do NOT have a ticket system or support team.
Do not share your private keys with anyone, and do not click links from unverified sources.
Please verify account names carefully before engaging.
We will never DM you first, and all official updates will come from verified Alephium channels only.
Thank you.
Alephium Team.
3
10
54
2,355