研究人員發現了關鍵的加密協議缺陷，獲得 25 萬美元獎勵

安全研究員 Marco Croc 因發現 Curve Finance 中的漏洞而獲得 25 萬美元獎勵，該漏洞可能讓駭客利用數百萬美元。該漏洞是一個可重入漏洞，可以操縱餘額並從流動性池中提取資金。 Curve Finance 承認漏洞的嚴重性，並向 Croc 授予了最高的漏洞賞金。

Researcher Uncovers Critical Crypto Protocol Vulnerability, Earns $250,000 Bounty

研究人員發現了關鍵的加密協議漏洞，獲得了 25 萬美元的賞金

New York, NY - [Date] - Security researcher Marco Croc, operating under the pseudonym Kupia Security, has been bestowed with a $250,000 bug bounty for identifying a reentrancy vulnerability within the Curve Finance decentralized finance (DeFi) protocol. This flaw has been implicated in several high-profile crypto hacks, resulting in the illicit withdrawal of millions of dollars.

紐約，紐約 - [日期] - 安全研究員 Marco Croc（化名 Kupia Security）因發現 Curve Finance 去中心化金融 (DeFi) 協議中的重入漏洞而獲得 25 萬美元的漏洞賞金。這項缺陷與數起備受矚目的加密貨幣駭客攻擊有關，導致數百萬美元被非法提取。

In a detailed analysis posted on the X thread, Croc laid bare the mechanics of the bug, demonstrating how it could be exploited to manipulate account balances and extract funds from liquidity pools. Curve Finance promptly acknowledged the existence of potential security flaws and deemed the vulnerability to be of utmost severity.

在 X 線程上發布的詳細分析中，Croc 揭示了該漏洞的機制，展示瞭如何利用漏洞來操縱帳戶餘額並從流動性池中提取資金。 Curve Finance 立即承認存在潛在的安全缺陷，並認為漏洞非常嚴重。

Following a thorough investigation, Curve Finance awarded Croc the maximum allowable bug bounty of $250,000. "Curve recognized the severity of the vulnerability and acted swiftly to address it," Croc remarked.

經過徹底調查後，Curve Finance 授予 Croc 最高 25 萬美元的漏洞賞金。 Croc 表示：“Curve 認識到了漏洞的嚴重性，並迅速採取行動予以解決。”

Despite the critical nature of the flaw, Curve Finance expressed confidence that its security infrastructure would have mitigated any potential losses. Nonetheless, the protocol emphasized the potentially severe consequences of a full-blown security breach.

儘管該缺陷性質嚴重，但 Curve Finance 表示有信心其安全基礎設施將減輕任何潛在損失。儘管如此，該協議強調了全面安全漏洞可能帶來的嚴重後果。

"While we believe our system would have ultimately recovered the funds in case of a breach, any security incident has the potential to cause significant panic in the market," Curve Finance stated.

Curve Finance 表示：“雖然我們相信我們的系統最終會在洩漏的情況下收回資金，但任何安全事件都有可能引起市場的嚴重恐慌。”

This revelation comes on the heels of Curve Finance's recovery from a $62 million hack in July 2022. In response to the incident, the protocol implemented a reimbursement plan totaling $49.2 million in assets to liquidity providers (LPs).

這項消息是在Curve Finance 從2022 年7 月遭受的6,200 萬美元駭客攻擊中恢復過來之後發布的。資產的補償計劃。

On-chain data reveals that 94% of tokenholders approved the disbursement of over $49.2 million to compensate for losses incurred by the Curve, JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET) pools. The Curve DAO (CRV) tokens were allocated from the community fund, and the final payout accounted for the tokens retrieved since the hack.

鏈上數據顯示，94% 的代幣持有者批准支付超過 4,920 萬美元，以補償 Curve、JPEG'd (JPEG)、Alchemix (ALCX) 和 Metronome (MET) 礦池造成的損失。 Curve DAO (CRV) 代幣是從社群基金中分配的，最終支付的金額是自駭客攻擊後收回的代幣。

"The overall ETH (ETH) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV, and the total to distribute was calculated as 55'544'782.73 CRV," the proposal outlined.

該提案概述：「要回收的 ETH (ETH) 總量計算為 5919.2226 ETH，要回收的 CRV 計算為 34,733,171.51 CRV，要分配的總量計算為 55'544'782.73 CRV。」

The vulnerability exploited by the attacker stemmed from stable pools that utilized certain versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 were found to be susceptible to reentrancy attacks, a common tactic used in DeFi hacks.

攻擊者利用的漏洞源自於使用某些版本的 Vyper 程式語言的穩定池。 0.2.15、0.2.16 和 0.3.0 版本被發現容易受到重入攻擊，這是 DeFi 駭客中常用的策略。

Croc's discovery underscores the ongoing challenges faced by the crypto industry in guarding against cyber threats. While protocols like Curve Finance invest heavily in security measures, vulnerabilities can still arise, putting user funds at risk.

Croc 的發現凸顯了加密產業在防範網路威脅方面所面臨的持續挑戰。儘管像 Curve Finance 這樣的協議在安全措施上投入了大量資金，但漏洞仍然可能出現，使用戶資金面臨風險。

The $250,000 bounty awarded to Croc serves as a testament to the importance of responsible disclosure and ethical hacking in safeguarding the crypto ecosystem. By uncovering and reporting critical flaws, researchers like Croc play a vital role in protecting the integrity of the industry and ensuring the safety of user assets.

授予 Croc 的 25 萬美元賞金證明了負責任的披露和道德駭客在保護加密生態系統方面的重要性。透過發現和報告關鍵缺陷，Croc 等研究人員在保護行業完整性和確保用戶資產安全方面發揮著至關重要的作用。