重複 DeFi 駭客攻擊還是新錯誤？

雖然Aave 和Maker（現在的Sky）這兩個OG 協議的創始人在享受「DeFi 復興時刻」的同時沉思《星際爭霸》，但該行業的一些不太成熟的項目卻因為錯誤的原因而被載入史冊。

Two decentralized finance (DeFi) protocols were hacked on Friday for a combined total of over $5 million, while compromised wallets saw a further $5 million drained on Wednesday.

週五，兩個去中心化金融 (DeFi) 協議遭到駭客攻擊，損失總額超過 500 萬美元，而周三，受攻擊的錢包又損失了 500 萬美元。

While the founders of two OG protocols, Aave and Maker (now Sky), enjoyed a game of Starcraft and reveled in a “DeFi renaissance moment,” some of the sector’s less well-established projects were going down in history for the wrong reasons.

雖然Aave 和Maker（現在的Sky）這兩個OG 協議的創始人都在享受星際爭霸遊戲並陶醉於“DeFi 復興時刻”，但該行業的一些不太成熟的項目卻因為錯誤的原因而被載入史冊。

Repeat DeFi hack or a new bug?

重複 DeFi 駭客攻擊還是新錯誤？

First up was Onyx Protocol, whose $3.8 million loss was initially thought to be a repeat of the well-known bug that drained $2.1 million from the project toward the back end of last year.

首先是 Onyx Protocol，其 380 萬美元的損失最初被認為是去年年底該項目損失 210 萬美元的眾所周知的錯誤的重複。

Hi @OnyxDAO, you may want to take a look pic.twitter.com/fcU6fHP4jr

嗨@OnyxDAO，您可能想看看 pic.twitter.com/fcU6fHP4jr

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

閱讀更多：隨著 2500 萬美元的治理「攻擊」過去，Compound DAO 沉睡了

Onyx is a fork of Compound Finance, which contains an infamous vulnerability in which freshly-launched, empty lending markets are briefly left open to a price manipulation attack, if not handled correctly.

Onyx是Compound Finance的一個分支，它包含一個臭名昭著的漏洞，如果處理不當，新推出的空貸款市場會短暫地遭受價格操縱攻擊。

Given the popularity of Compound’s v2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity across the sector, and was initially identified as having been the cause of Onyx’s latest loss.

鑑於Compound v2程式碼庫在快速分叉的DeFi開發者中很受歡迎，該漏洞在整個行業中被利用的頻率令人震驚，最初被認為是造成Onyx最近虧損的原因。

However, as the team pointed out in a ‘post-mortem’ thread on X (formerly Twitter), this time the vulnerability also lay in the platform’s ‘NFT Liquidation contract.’ The attacker was able to drain the vUSD stablecoin, which was then sold off, causing it to depeg.

然而，正如該團隊在 X（以前稱為 Twitter）上的「事後分析」貼文中指出的那樣，這次漏洞也存在於該平台的「NFT 清算合約」中。攻擊者能夠耗盡 vUSD 穩定幣，然後該穩定幣被拋售，導致其脫鉤。

Something’s not adding up

有些東西沒有加起來

Next came ‘bitcoin restaking’ protocol Bedrock, which appeared to be overly bullish on ETH, costing it around $2 million.

接下來是「比特幣重新抵押」協議 Bedrock，該協議似乎過度看好 ETH，導致其損失約 200 萬美元。

uniBTC by @Bedrock_DeFi was exploited today. The vulnerability allowed for you to mint uniBTC with eth! This function was likely leftover from the uniETH implementation 😅 @spreekaway pic.twitter.com/Xj69wQg2GX

@Bedrock_DeFi 的 uniBTC 今天被利用。該漏洞允許您使用 eth 鑄造 uniBTC！此函數可能是 uniETH 實作遺留下來的 😅 @spreekaway pic.twitter.com/Xj69wQg2GX

Read more: ‘Cryptographic performance art’ drains contract one block after launch 

閱讀更多：「加密表演藝術」在推出後耗盡了合約一個區塊

The faulty code allowed users to mint Bedrock’s uniBTC token at a 1:1 ratio with staked ETH tokens, not taking into account the price difference between the two assets (valued at the time at approximately $65,000 vs $2,650, respectively).

有缺陷的代碼允許用戶以 1:1 的比例與質押的 ETH 代幣鑄造 Bedrock 的 uniBTC 代幣，而不考慮兩種資產之間的價格差異（當時的價值分別約為 65,000 美元和 2,650 美元）。

The uniBTC tokens were then sold off for an alternative wrapped bitcoin token, for a return of almost 25x.

然後，uniBTC 代幣被出售為另一種包裝的比特幣代幣，回報率接近 25 倍。

Crypto security auditor Dedaub claims to have identified the vulnerability in advance, stating that such a simple bug could be discovered and exploited automatically by ‘fuzzing bots.’

加密安全審計員 Dedaub 聲稱已經提前發現了該漏洞，並表示這樣一個簡單的錯誤可以被「模糊測試機器人」自動發現和利用。

Despite warning the Bedrock team two hours before the attack, there was no response due time zone differences. However, by raising the issue separately with Pendle, a platform with $30 million of exposure to uniBTC, further losses were successfully averted.

儘管在襲擊發生前兩小時向基岩團隊發出了警告，但由於時區差異，他們沒有做出任何回應。然而，透過單獨向 Pendle（一個擁有 3000 萬美元 uniBTC 敞口的平台）提出問題，成功避免了進一步的損失。

The Bedrock team responded to the incident, reassuring users that all uniBTC collateral remains intact. It estimated the losses at “approximately $2 million (mostly in DEX LPs),” adding that a “comprehensive reimbursement plan is being finalized.”

Bedrock 團隊對這一事件做出了回應，向用戶保證所有 uniBTC 抵押品均完好無損。它估計損失“約 200 萬美元（主要是 DEX LP）”，並補充說“全面的賠償計劃正在敲定”。

Compromised keys?

密鑰受損？

On Wednesday, real-world-asset-focused Truflation warned of “some abnormal activity,” which it attributed to a malware attack.

週三，專注於現實世界資產的 Truflation 警告稱，存在“一些異常活動”，並將其歸因於惡意軟體攻擊。

On September 25th, 2024, the Truflation team detected some abnormal activity. An attacker launched an attack using malware. We are currently monitoring the situation and are taking measures to protect funds while we are investigating and working with law enforcement. The…

2024 年 9 月 25 日，Truflation 團隊偵測到一些異常活動。攻擊者使用惡意軟體發動了攻擊。我們目前正在監控局勢，並在調查和與執法部門合作的同時採取措施保護資金。這…

Read more: Chelsea FC sponsor BingX tried to hide $40M hack behind ‘wallet maintenance’

閱讀更多：切爾西足球俱樂部贊助商 BingX 試圖在“錢包維護”背後隱藏 4000 萬美元的黑客攻擊

Blockchain investigator ZachXBT traced total losses of over $5 million from addresses identified as the project’s “treasury multisig and personal wallets,” providing a list of addresses via his Investigations Telegram channel.

區塊鏈調查員 ZachXBT 追蹤到該專案「財務多重簽名和個人錢包」地址的總損失超過 500 萬美元，並透過他的 Investigations Telegram 頻道提供了地址清單。

While the initial disclosure was scant on details, it does mention a reward to any whitehats able to aid the investigation. This was followed up with an on-chain message to the hacker, offering a 10% ‘bounty’ for the return of the funds.

雖然最初披露的細節很少，但它確實提到了對任何能夠協助調查的白帽分子的獎勵。隨後向駭客發送一條鏈上訊息，為返還資金提供 10% 的「賞金」。

Assuming funds aren’t returned before 8am (UTC) on Saturday, the bounty will be opened up to the public in return for information leading to a conviction.

假設資金在周六上午 8 點（世界標準時間）之前未歸還，賞金將向公眾開放，以換取導致定罪的資訊。

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

有小費嗎？給我們發送電子郵件或 ProtonMail。如需了解更多訊息，請在 X、Instagram、Bluesky 和 ​​Google News 上關注我們，或訂閱我們的 YouTube 頻道。