二月份，分散的貨幣貸款協議Zklend的耗資960萬美元的黑客攻擊者聲稱他們剛剛成為網站網站的受害者

二月份，分散的貨幣貸款協議Zklend的耗資960萬美元的黑客攻擊者聲稱他們剛剛成為網站網站的受害者

The hacker who exploited decentralized money-lending protocol zkLend for $9.6 million in February claims to have fallen victim to a phishing website impersonating Tornado Cash.

這位黑客在2月以960萬美元的價格剝削了分散的貸款貸款協議Zklend聲稱已成為模擬龍捲風現金的網站網站的受害者。

The exploiter lost 2,930 Ether (ETH) from the stolen funds to the phishing website, according to a message sent to zkLend on Etherscan on March 31.

根據3月31日發送給Zklend的一條消息，該剝削者從被盜的資金損失了2,930 Ether（ETH）。

The zkLend thief sent 100 Ether at a time to an address named Tornado.Cash: Router in a series of March 31 transfers, finishing with three deposits of 10 Ether.

Zklend Thief一次將100 Ether送到一個名為Tornado的地址。 Cash：Router在3月31日的轉移中，以10件Ether的三個存款結束。

“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker said.

黑客說：“您好，我試圖將資金搬到龍捲風，但我使用了網絡釣魚網站，所有資金都丟失了。我感到震驚。我為造成的所有破壞和損失感到非常抱歉。”

The hacker behind the zkLend exploit claims to have lost most of the funds to a phishing website posing as a front-end for Tornado Cash. Source: Etherscan

Zklend Exploit背後的黑客聲稱將大部分資金丟給了一個擺姿勢的網站，這是龍捲風現金的前端。資料來源：Etherscan

“All the 2,930 Eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money.”

“所有2,930個ETH都由該網站所有者採取。我沒有硬幣。請將您的努力重定向到那些現場所有者，以查看您是否可以收回一些錢。”

ZkLend responded by asking the hacker to “Return all the funds left in your wallets” to the zkLend wallet address. However, another 25 Ether was then sent to a wallet listed as Chainflip1.

Zklend的回應是要求黑客“將錢包中留下的所有資金歸還給Zklend Wallet地址。但是，然後將另外25個以太送到列為Chainflip1的錢包。

Earlier, another user warned the exploiter about the error, telling them, “don’t celebrate,” because all the funds were sent to the scam Tornado Cash URL.

此前，另一位用戶警告剝削者有關該錯誤的信息，並告訴他們“不要慶祝”，因為所有資金均已發送到騙局龍捲風現金URL。

“It is so devastating. Everything gone with one wrong website.”

“這是如此毀滅性。所有錯誤的網站都消失了。”

Another user warned the zkLend exploiter about the mistake, but it was too late. Source: Etherscan

另一位用戶警告Zklend剝削者有關錯誤的信息，但為時已晚。資料來源：Etherscan

How zkLend was exploited for $9.6 million

Zklend如何以960萬美元的價格利用

ZkLend suffered an empty market exploit on Feb. 11 when an attacker used a small deposit and flash loans to inflate the lending accumulator, according to the protocol’s Feb. 14 post-mortem.

根據該協議後2月14日，Zklend在2月11日使用少量存款和Flash貸款來膨脹貸款蓄能器時，Zklend遭受了空曠的市場利用。

The hacker then repeatedly deposited and withdrew funds, exploiting rounding errors that became significant due to the inflated accumulator.

然後，黑客反复沉積並撤回了資金，利用了由於累加器膨脹而變得重大的捨入錯誤。

The attacker bridged the stolen funds to Ethereum and later failed to launder them through Railgun after protocol policies returned them to the original address.

攻擊者將被盜的資金橋接給以太坊，後來在協議政策將其返回原始地址後未能通過鐵路槍洗牌。

Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and offered to release the culprit from legal liability and scrutiny from law enforcement if the remaining Ether was returned.

Zklend提出，黑客可以將10％的資金保留為賞金，並提議將罪魁禍首從法律責任和執法部門的審查中釋放出罪魁禍首，如果剩下的以太股還歸還。

Related: DeFi protocol SIR.trading loses entire $355K TVL in ‘worst news’ possible

相關：defi協議先生。交易在“最糟糕的新聞”中損失了整個$ 355K TVL

The offer deadline of Feb. 14 passed with no public response from either party. In a Feb. 19 update to X, zkLend said it was now offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered.

2月14日的報價截止日期通過，沒有任何一方的公眾回應。 Zklend在2月19日對X的更新中表示，現在為任何可驗證的信息提供了500,000美元的賞金，這些信息可能會導致黑客被捕並收回了資金。

Losses to crypto scams, exploits and hacks totaled over $33 million, according to blockchain security firm CertiK, but dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds.

根據區塊鏈安全公司Certik的說法，對加密騙局，漏洞和黑客的損失總計超過3,300萬美元，但在分散的交易所聚合器1英寸成功收回了被盜的資金後，損失到2800萬美元。

Losses to crypto scams, exploits and hacks totaled nearly $1.53 billion in February. The $1.4 billion Feb. 21 attack on Bybit by North Korea’s Lazarus Group made up the lion’s share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022.

2月，加密騙局，漏洞和黑客一次成損失近15.3億美元。 2月21日耗資14億美元的朝鮮拉撒路集團對拜比特的襲擊構成了獅子的份額，並獲得了有史以來最大的加密貨幣hack的冠軍，這使2022年3月的6.5億美元羅寧橋黑客翻了一番。