Alex Protocol Bridge 遭駭客攻擊，損失 430 萬美元

根據 CertiK 的報告，BNB 智慧鏈上的 Alex 協定橋在可疑升級後遭受了 430 萬美元的攻擊。升級由協議部署者執行，跨網路轉移資產。同樣，以太坊上的 Alex 橋也進行了升級，有一個未知帳戶嘗試提款。 Alex 團隊尚未回應。

Alex Protocol Bridge Hack: $4.3 Million Exploited in Suspicious Withdrawals

Alex Protocol Bridge 駭客攻擊：可疑提款被利用 430 萬美元

On May 14th, the blockchain security platform CertiK reported a major security breach involving the Alex protocol bridge on the BNB Smart Chain network, resulting in malicious withdrawals totaling $4.3 million.

5 月 14 日，區塊鏈安全平台 CertiK 報告稱，BNB 智慧鏈網路上的 Alex 協議橋發生重大安全漏洞，造成總計 430 萬美元的惡意提款。

Alex, a Bitcoin layer-2 protocol, facilitates decentralized finance applications on the Bitcoin network. Its bridges serve as gateways for transferring assets between Bitcoin and other blockchain networks, such as BNB Smart Chain and Ethereum.

Alex 是比特幣第 2 層協議，促進比特幣網路上的去中心化金融應用程式。它的橋樑充當比特幣和其他區塊鏈網路（例如 BNB 智慧鏈和以太坊）之間轉移資產的網關。

Blockchain data analysis reveals that the Alex deployer account executed five identical upgrades to the "Bridge Endpoint" contract on BNB Smart Chain starting at 3:56 pm UTC. Following these upgrades, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTCUSD), USD Coin (USDCUSD), and Sugar Kingdom Odyssey (SKO) tokens were siphoned from the bridge's BNB Smart Chain side.

區塊鏈數據分析顯示，Alex 部署者帳戶從世界標準時間下午 3:56 開始，對 BNB 智慧鏈上的「Bridge Endpoint」合約執行了五次相同的升級。在這些升級之後，價值約 430 萬美元的幣安掛鉤比特幣 (BTCUSD)、美元硬幣 (USDCUSD) 和 Sugar Kingdom Odyssey (SKO) 代幣從橋的 BNB 智能鏈一側被抽走。

CertiK's investigation suggests that the incident was likely orchestrated through a "possible private key compromise," as the upgrades were initiated by the protocol's deployer account.

CertiK 的調查表明，該事件很可能是透過「可能的私鑰洩漏」精心策劃的，因為升級是由協議的部署者帳戶發起的。

The upgrade transaction modified the implementation address to one ending in 7058. This new implementation comprised unverified bytecode, rendering it unreadable to humans.

升級事務將實作位址修改為以 7058 結尾的位址。

Approximately 48 minutes after the initiation of these upgrades, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. This resulted in the transfer of 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC to the 484E address at 4:44 pm.

這些升級開始後大約 48 分鐘，橋接合約的代理位址在以 4848E 結尾的位址上呼叫了未經驗證的函數。這導致 16 BTC（按當前價格計算為 983,000 美元）、270 萬個 SKO（75,000 美元）和價值 330 萬美元的 USDC 於下午 4:44 轉移到 484E 地址。

The attacker's intentions may extend beyond the BNB Smart Chain network. At 5:41 pm, shortly after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades occurred on Ethereum. In this instance, the deployer upgraded the "artist address" to an unverified contract. Immediately afterward, an account ending in 05ed attempted to withdraw funds from the "team address." However, these withdrawals failed, eliciting a "not owner" error.

攻擊者的意圖可能超出 BNB 智慧鏈網路。下午 5:41，BNB 智慧鏈可疑升級後不久，以太坊上也發生了一系列類似的 Alex 升級。在本例中，部署者將「藝術家地址」升級為未經驗證的合約。緊接著，一個以 05ed 結尾的帳戶試圖從「團隊地址」提取資金。然而，這些提款失敗，引發「非所有者」錯誤。

The 05ed account, with no prior transaction history before May 10th, has since created three unverified contracts, raising concerns that it might be controlled by a malicious actor.

05ed 帳戶在 5 月 10 日之前沒有任何交易歷史，此後創建了三個未經驗證的合約，引發了人們對其可能被惡意行為者控制的擔憂。

As of the time of publication, the Alex team has not publicly acknowledged the exploit or provided any official statement regarding the incident.

截至發稿時，Alex 團隊尚未公開承認漏洞，也沒有就該事件提供任何官方聲明。

The Alex bridge hack is not an isolated event. In recent weeks, several other protocols have fallen victim to potential exploits. On May 13th, decentralized exchange Equalizer reported the theft of over 2,000 of its native tokens, which were gradually siphoned off in small increments over several days. Moreover, the Gnus.ai hack on May 6th resulted in losses exceeding $1.27 million.

亞歷克斯橋被駭客攻擊並不是孤立的事件。最近幾週，其他幾個協議也成為了潛在漏洞的受害者。 5 月 13 日，去中心化交易所 Equalizer 報告稱，其 2,000 多個原生代幣被盜，這些代幣在幾天內逐漸被小幅吸走。此外，5 月 6 日的 Gnus.ai 駭客攻擊造成的損失超過 127 萬美元。

These incidents highlight the growing prevalence of security breaches in the burgeoning decentralized finance ecosystem. It is imperative that protocol developers prioritize robust security measures and conduct thorough audits to minimize the risk of exploits and protect user funds.

這些事件突顯了新興的去中心化金融生態系統中安全漏洞日益普遍。協議開發人員必須優先考慮強有力的安全措施並進行徹底的審核，以最大限度地降低被利用的風險並保護用戶資金。