abracadabra/spell defi漏洞利用加密協議的數百萬美元

黑客設法從該平台的智能合同系統中耗盡了資金，稱為“大鍋”，價值約為1300萬美元。

A DeFi exploiter has drained approximately $13 million from Abracadabra/Spell’s smart contract system, known as cauldrons, in an attack that took advantage of a vulnerability in the protocol’s integration with GMX V2’s liquidity pools, according to Peckshield.

根據Peckshield的說法，一名Defi Exploiter從Abracadabra/Spell的智能合同系統（稱為Cauldrons）中排出了約1300萬美元，這是一項攻擊，利用了該協議與GMX V2的流動性池的脆弱性。

The security firm reports that the attacker stole over 6,200 ETH, exploiting a gap in the protocol’s smart contracts, which allowed them to siphon off a portion of the funds.

該安全公司報告說，攻擊者偷走了超過6,200的ETH，利用了協議智能合約中的差距，這使他們能夠從一部分資金中竊取一部分。

How the DeFi Exploit Took Place

如何發生Defi漏洞

Abracadabra/Spell’s cauldrons leverage liquidity from the GMX decentralized exchange to facilitate on-chain lending and borrowing. The attack appears to have been a well-crafted exploitation of the protocol’s interaction with GMX V2’s V2 liquidity pools.

Abracadabra/Spell的大鍋利用GMX分散交易的流動性來促進鏈貸款和借貸。這次攻擊似乎是對該協議與GMX V2的V2流動性池的互動進行精心製作的剝削。

Researchers suggest the attacker used a flash loan, a commonly employed DeFi strategy where users borrow funds without collateral, and manipulated the liquidation process within this context.

研究人員建議攻擊者使用Flash Loan，這是一種常用的Defi策略，在這種情況下，用戶借入資金，並在這種情況下操縱清算過程。

According to blockchain expert Weilin Li, the attacker took advantage of a specific feature in Abracadabra’s stablecoin system, Magic Internet Money (MIM), which allowed them to borrow and subsequently liquidate funds in a way that bypassed standard collateral requirements.

根據區塊鏈專家Weilin Li的說法，攻擊者利用了Abracadabra的Stablecoin System，Magic Internet Money（MIM）的特定功能，這使他們能夠借用並以繞過標準旁邊要求的方式清算資金。

Li further explained that the attacker’s profits stemmed from incentives tied to liquidation events, ultimately ensuring the success of their exploit.

李進一步解釋說，攻擊者的利潤源於與清算事件相關的激勵措施，最終確保了他們的剝削成功。

GMX V2: Two-Step Trading Process and the Exploit Surface

GMX V2：兩步交易過程和利用表面

The exploit seems to have been made possible by a potential gap in GMX V2’s two-step trading process, designed to prevent front-running. This process involves "keepers," who handle order creation and fulfillment.

GMX V2的兩步交易過程中的潛在差距似乎使該漏洞利用成為可能，該過程旨在防止前線運行。此過程涉及處理訂單創建和實現的“守護者”。

The interval between placing an order and its execution might have provided the attacker with a chance to manipulate the system. However, despite this, GMX developers confirmed that their core contracts remained secure and unaffected by the breach.

下訂單及其執行之間的間隔可能為攻擊者提供了操縱系統的機會。但是，儘管如此，GMX開發人員確認他們的核心合同仍然安全，不受違規的影響。

A statement from a GMX developer clarified that the issue was tied to Abracadabra’s integration with GMX’s pools, not any weakness in GMX’s core system. The developer expressed their regret for the situation and assured the community that an investigation was underway to determine the exact cause of the exploit.

GMX開發人員的一份聲明澄清說，該問題與Abracadabra與GMX池的整合有關，而不是GMX的核心系統中的任何弱點。開發商對這種情況表示遺憾，並向社區保證，正在進行調查以確定剝削的確切原因。

Stolen Funds Moved to Ethereum

被盜的資金移至以太坊

Following the breach, the stolen funds were quickly bridged from Arbitrum, the layer 2 scaling solution, to the Ethereum mainnet. This event serves as a reminder of the vulnerabilities that can exist within the rapidly evolving world of decentralized finance.

違反後，被盜的資金從索賠（第2層縮放解決方案）迅速橋接到以太坊主網。這項事件提醒人們在分散財務的快速發展的世界中可能存在的脆弱性。

Earlier this year, another exploiter targeted Abracadabra’s MIM stablecoin, resulting in losses of nearly $6.5 million. The ongoing concerns regarding vulnerabilities in smart contract systems highlight the urgent need for more robust security practices in the DeFi space.

今年早些時候，另一位剝削者針對Abracadabra的Mim Stablecoin，導致損失近650萬美元。對智能合同系統中漏洞的持續擔憂突顯了在Defi空間中對更強大的安全實踐的迫切需求。