Web3 領域 DeFi 漏洞不斷升級，Onyx 被利用價值 380 萬美元

由於其不可替代代幣（NFT）清算合約中的漏洞，金融（DeFi）協議被利用了 380 萬美元。

DeFi protocol Onyx has lost $3.8 million in a new attack, which was largely enabled by a known vulnerability in Compound Finance’s codebase v2.

DeFi 協定 Onyx 在一次新的攻擊中損失了 380 萬美元，這主要是由 Compound Finance 程式碼庫 v2 中的一個已知漏洞造成的。

The blockchain security firm PeckShield has identified the attacker's use of a vulnerability in the NFT liquidation contract, which led to the exploitation. The vulnerability is present in Compound Finance's v2 codebase, which is used by several DeFi protocols.

區塊鏈安全公司 PeckShield 已發現攻擊者利用了 NFT 清算合約中的漏洞，導致了該漏洞的利用。該漏洞存在於Compound Finance v2 程式碼庫中，多個 DeFi 協定都使用該程式碼庫。

The vulnerability can be exploited when a DeFi protocol has an “empty market” — a market with no liquidity, which usually happens when launching new markets.

當 DeFi 協議存在「空市場」（沒有流動性的市場）時，該漏洞可能會被利用，這種情況通常在推出新市場時發生。

The attacker drained 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 in the DAI stablecoin, and $50,000 in the USDT stablecoin, totaling over $3.8 million in losses.

攻擊者耗盡了 410 萬虛擬美元 (VUSD)、735 萬 Onyxcoin (XCN)、0.23 Wrapped Bitcoin (WBTC)、5,000 美元的 DAI 穩定幣和 50,000 美元的 USDT 穩定幣，總計損失超過 380 萬美元。

A previous attack on Onyx occurred in October 2023, which was also enabled by the same vulnerability in the Compound Finance codebase. Another exploitation occurred in Hundred Finance, which was attacked in April 2023.

先前對 Onyx 的攻擊發生在 2023 年 10 月，也是由 Compound Finance 程式碼庫中的相同漏洞導致的。另一次利用發生在Hundred Finance，該公司於2023年4月遭到攻擊。

The DeFi protocol later acknowledged the faulty NFT contract as the primary cause of the attack, while the Compound vulnerability played a role.

DeFi 協議後來承認，有缺陷的 NFT 合約是此次攻擊的主要原因，而Compound 漏洞也起了一定作用。

According to PeckShield, the contract failed to validate user input properly, which allowed the attacker to inflate self-liquidation rewards and drain funds.

據 PeckShield 稱，該合約未能正確驗證用戶輸入，這使得攻擊者能夠誇大自我清算獎勵並耗盡資金。

DeFi exploits have become a pressing issue in Web3, with several protocols being attacked in 2024. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract.

DeFi 漏洞利用已成為 Web3 中的一個緊迫問題，多個協定在 2024 年受到攻擊。 就在 Onyx 攻擊前幾天，流動質押協定 Bedrock 由於其 uniBTC 合約中的漏洞損失了超過 200 萬美元。

Another protocol, Bankroll Network, suffered a $230,000 loss when an attacker exploited a faulty “buyFor” function.

另一個協議 Bankroll Network 在攻擊者利用錯誤的“buyFor”功能時遭受了 230,000 美元的損失。

After stealing the funds, attackers often convert them into Ether to launder the funds through cryptocurrency mixers like Tornado Cash, which complicates the efforts of cybersecurity firms to trace the stolen funds.

在竊取資金後，攻擊者經常將其轉換為以太幣，透過 Tornado Cash 等加密貨幣混合器洗錢，這使得網路安全公司追蹤被盜資金的工作變得更加複雜。

Crypto hacks have been escalating in 2024, with the first quarter seeing $542.7 million stolen, a 42% increase from the same period in 2023. July was particularly severe, with over $266 million stolen across 16 attacks.

2024 年，加密貨幣駭客攻擊不斷升級，第一季被盜金額達 5.427 億美元，較 2023 年同期增加 42%。

This includes a $230 million theft from Indian exchange WazirX, which was the second-largest hack of the year so far.

其中包括印度交易所 WazirX 的 2.3 億美元竊盜案，這是今年迄今第二大駭客攻擊事件。

The WazirX hacker has been attempting to funnel the stolen funds, consolidating $57 million worth of ETH into new addresses by July 22.

WazirX 駭客一直試圖轉移被盜資金，並在 7 月 22 日之前將價值 5700 萬美元的 ETH 整合到新地址中。

Most recently, Singapore-based cryptocurrency exchange BingX’s estimated loss from a suspected hack on Friday more than doubled to over $52 million, following further investigations.

最近，經過進一步調查，總部位於新加坡的加密貨幣交易所 BingX 因週五涉嫌駭客攻擊而造成的損失估計增加了一倍多，達到 5,200 萬美元以上。