可疑的 Alex Bridge 漏洞導致 430 萬美元消失

5 月 14 日，CertiK 報告稱，在可疑的合約升級後，基於 BNB 智慧鏈的 Alex 協議橋被提取了 430 萬美元。升級由協定的部署者帳戶執行，涉及用未經驗證的字節碼替換實現位址。隨後，資金被轉移到一個未知的地址，引發了人們對可能的私鑰洩漏的擔憂。

Alex Bridge Exploited for $4.3 Million in Suspicious Withdrawals

Alex Bridge 因可疑提款而被利用 430 萬美元

May 14, 2023 - The Alex protocol bridge, a gateway connecting the Bitcoin layer-2 protocol to other networks, has fallen victim to a sophisticated exploit, resulting in the loss of approximately $4.3 million in digital assets.

2023 年 5 月 14 日 - Alex 協議橋（將比特幣第 2 層協議連接到其他網路的網關）已成為複雜漏洞的受害者，導致約 430 萬美元的數位資產損失。

Blockchain security platform CertiK released a report on May 14, detailing the incident that occurred just hours after the bridge's contract was mysteriously upgraded five times in rapid succession. The upgrades, initiated by the protocol's deployer account, raised immediate concerns of a potential private key compromise.

區塊鏈安全平台 CertiK 於 5 月 14 日發布了一份報告，詳細介紹了該橋合約快速連續神秘升級五次後僅幾個小時發生的事件。由協議部署者帳戶發起的升級立即引起了對潛在私鑰洩漏的擔憂。

The new implementation address, ending in 7058, contained unverified bytecode, rendering it indecipherable to human readers. Within an hour of the upgrades, the proxy address for the bridge contract executed an unverified function on an address ending in 4848E. This action triggered the transfer of a substantial amount of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) from the BNB Smart Chain leg of the bridge into the 484E address.

新的實作位址以 7058 結尾，包含未經驗證的字節碼，導致人類讀者無法解讀。升級後一小時內，橋接合約的代理地址在以 4848E 結尾的地址上執行了未經驗證的功能。這項行動觸發了大量與幣安掛鉤的比特幣（BTC）、美元硬幣（USDC）和糖王國奧德賽（SKO）從橋的 BNB 智慧鏈分支轉移到 484E 地址。

The attacker's motive appears to extend beyond the BNB Smart Chain network. At 5:41 pm UTC, minutes after the exploit on BNB Smart Chain, a similar series of upgrades occurred on Ethereum. The deployer upgraded the "artist address" to an unverified contract, followed by an attempt to withdraw funds from the "team address" by an account ending in 05ed. However, the withdrawal attempts failed, returning a "not owner" error.

攻擊者的動機似乎超出了 BNB 智慧鍊網路的範圍。世界標準時間下午 5:41，即 BNB 智慧鏈漏洞利用幾分鐘後，以太坊上發生了一系列類似的升級。部署者將「藝術家地址」升級為未經驗證的合約，隨後嘗試透過以 05ed 結尾的帳戶從「團隊地址」提取資金。然而，提款嘗試失敗，傳回“非所有者”錯誤。

The 05ed account, which exhibited no activity before May 10, raised suspicions of malicious intent. Its creation of three unverified contracts within a short period suggested control by a malicious actor.

05ed 帳戶在 5 月 10 日之前沒有任何活動，引發了惡意意圖的懷疑。它在短時間內創建了三份未經驗證的合約，表明其受到惡意行為者的控制。

At the time of this report's publication, the Alex team had yet to confirm the exploit or comment on the incident. The attack marks a growing trend of protocol exploits in the decentralized finance (DeFi) space, with Equalizer and Gnus.ai reporting losses exceeding $3.5 million combined in May alone.

截至本報告發佈時，Alex 團隊尚未確認該漏洞或對此事件發表評論。這次攻擊標誌著去中心化金融 (DeFi) 領域協議漏洞利用的成長趨勢，僅在 5 月份，Equalizer 和 Gnus.ai 報告的損失合計就超過 350 萬美元。

The Alex bridge incident highlights the ongoing security risks associated with DeFi platforms and the need for robust security measures to protect user funds. CertiK's comprehensive investigation underscores the importance of thorough audits and regular security reviews to identify and mitigate potential vulnerabilities.

Alex Bridge 事件凸顯了與 DeFi 平台相關的持續安全風險，以及需要採取強有力的安全措施來保護用戶資金。 CertiK 的全面調查強調了徹底審查和定期安全審查以識別和減少潛在漏洞的重要性。

The incident serves as a stark reminder that the security of DeFi platforms is paramount, and users should exercise due diligence in selecting and interacting with protocols. Developers must prioritize the implementation of rigorous security protocols and transparency to instill trust and confidence among users.

這事件強烈提醒我們，DeFi 平台的安全至關重要，用戶在選擇協議和與協議互動時應盡職盡責。開發人員必須優先考慮實施嚴格的安全協議和透明度，以在使用者之間灌輸信任和信心。