安全研究人員發現 Curve Finance Protocol 的嚴重漏洞，獲得 25 萬美元賞金

Kupia Security 的安全研究員 Marco Croc 在 DeFi 協議 Curve Finance 中發現了一個嚴重的重入漏洞，可能導致數百萬人被盜。 Curve Finance 承認了該漏洞，並為 Croc 的關鍵貢獻提供了 25 萬美元的獎金。這起事件凸顯了 DeFi 領域持續存在的安全威脅。

Security Researcher Nets $250,000 Bounty for Uncovering Critical Vulnerability in Curve Finance Protocol

安全研究人員因發現 Curve Finance 協議中的關鍵漏洞而獲得 25 萬美元的賞金

A dedicated security researcher has been handsomely rewarded for their astute discovery of a critical vulnerability in the Curve Finance decentralized finance (DeFi) protocol, a flaw that had previously enabled cybercriminals to pilfer millions from cryptocurrency ecosystems.

一名專門的安全研究人員因敏銳地發現了Curve Finance 去中心化金融(DeFi) 協議中的一個關鍵漏洞而獲得了豐厚的獎勵，該漏洞此前曾使網絡犯罪分子從加密貨幣生態系統中竊取數百萬美元。

The vulnerability, meticulously analyzed and exposed by Marco Croc, a cybersecurity expert from Kupia Security, revolved around a reentrancy issue. This flaw could have been exploited to manipulate balances and siphon unauthorized funds from liquidity pools. Croc meticulously documented his findings in a series of posts on Medium, illuminating the potential risks and manipulations that could have been perpetrated due to the bug.

Kupia Security 的網路安全專家 Marco Croc 仔細分析並揭露了該漏洞，該漏洞與重入問題有關。此缺陷可能被利用來操縱餘額並從流動性池中抽取未經授權的資金。 Croc 在 Medium 上發表了一系列帖子，詳細記錄了他的發現，闡明了該錯誤可能造成的潛在風險和操縱行為。

Curve Finance responded swiftly to the disclosure, promptly launching a thorough investigation into the matter. Recognizing the significant threat posed by the vulnerability, the protocol awarded Croc the highest possible bounty of $250,000 for his invaluable contribution.

Curve Finance對此披露迅速做出反應，並立即對此事展開徹底調查。認識到該漏洞造成的重大威脅，該協議授予 Croc 250,000 美元的最高獎金，以表彰他所做的寶貴貢獻。

"Curve Finance recognized the severity of the vulnerability," Croc remarked, underscoring the importance of the protocol's swift and decisive action.

Croc 表示：「Curve Finance 認識到了漏洞的嚴重性。」他強調了該協議迅速而果斷行動的重要性。

While the protocol initially assessed the vulnerability as "not as dangerous," expressing confidence in its ability to retrieve any potentially stolen funds, Curve Finance acknowledged that the occurrence of such a security incident could have triggered widespread panic within the community.

雖然該協議最初評估該漏洞“不那麼危險”，並表示對其找回任何潛在被盜資金的能力充滿信心，但 Curve Finance 承認，此類安全事件的發生可能會引發社區內的廣泛恐慌。

This acknowledgment resonates with Curve Finance's recent recovery from a massive $62 million hack in July. In an effort to mitigate the impact on their users, the protocol and its community implemented comprehensive compensation measures.

這項承認與 Curve Finance 最近從 7 月遭受的 6,200 萬美元的大規模駭客攻擊中恢復過來的情況相呼應。為了減輕對用戶的影響，該協議及其社群實施了全面的補償措施。

Curve Finance resolved to reimburse $49.2 million worth of assets to affected liquidity providers (LPs). This decision was overwhelmingly endorsed by tokenholders, with an impressive 94% approving the disbursement to cover losses across multiple pools, including Curve, JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET).

Curve Finance 決定向受影響的流動性提供者 (LP) 償還價值 4,920 萬美元的資產。這項決定得到了代幣持有者的壓倒性支持，高達94% 的代幣持有者批准了這筆支出，以彌補多個礦池的損失，包括Curve、JPEG'd (JPEG)、Alchemix (ALCX) 和Metronome (MET)。

The compensation proposal meticulously outlined the amounts to be recovered and redistributed: "The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55'544'782.73 CRV."

補償提案詳細列出了要收回和重新分配的金額：“收回的 ETH 總量計算為 5919.2226 ETH，收回的 CRV 計算為 34,733,171.51 CRV，分配的總量計算為 55'544'782.73 CRV。”

The attacker had capitalized on a bug residing in specific versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 were thus rendered susceptible to reentrancy attacks. This incident starkly underscores the persistent threats lurking within the DeFi landscape, emphasizing the imperative for implementing rigorous security measures.

攻擊者利用了 Vyper 程式語言特定版本中存在的錯誤。因此，版本 0.2.15、0.2.16 和 0.3.0 容易受到重入攻擊。這起事件赤裸裸地凸顯了 DeFi 領域潛伏的持續威脅，強調了實施嚴格安全措施的必要性。

Conclusion

結論

The discovery and successful remediation of this critical vulnerability serve as a testament to the indispensable role of security researchers in safeguarding the burgeoning DeFi ecosystem. Protocols and their communities must prioritize robust security practices and reward those who contribute to enhancing the integrity of the digital asset landscape. By working together, we can mitigate risks, restore trust, and pave the way for the continued growth and adoption of decentralized finance.

這一嚴重漏洞的發現和成功修復證明了安全研究人員在保護蓬勃發展的 DeFi 生態系統中發揮著不可或缺的作用。協議及其社群必須優先考慮穩健的安全實踐，並獎勵那些為增強數位資產格局的完整性做出貢獻的人。透過共同努力，我們可以降低風險，恢復信任，並為去中心化金融的持續成長和採用鋪平道路。