Aave“外围”合同被黑客攻击价值 5.6 万美元，引发与 Euler Finance 的口角

今天早些时候，去中心化金融 (DeFi) 领域最大的借贷平台 Aave 的一份“外围”合约遭到黑客攻击，损失总计 56,000 美元。

A ‘periphery’ contract of the decentralized finance (DeFi) sector’s biggest lending platform, Aave, was hacked for a total of $56,000 earlier today.

今天早些时候，去中心化金融 (DeFi) 领域最大的借贷平台 Aave 的一份“外围”合约遭到黑客攻击，损失总计 56,000 美元。

Aave, which contains assets worth over $11 billion according to data from DeFiLlama, has made clear that the attack, which began, around 04:30 UTC placed no user funds at risk. Founder Stani Kulechov and governance delegate Marc Zeller both took to Twitter to reassure users.

根据 DeFiLlama 的数据，Aave 包含的资产价值超过 110 亿美元，该公司已明确表示，这次攻击于世界标准时间 04:30 左右开始，没有使用户资金面临风险。创始人 Stani Kulechov 和治理代表 Marc Zeller 都在 Twitter 上安抚用户。

A periphery contract of @AAVE is hacked due to an arbitrary call/logic error. Most user funds are SAFU

@AAVE 的外围合约因任意调用/逻辑错误而被黑客攻击。大部分用户资金为 SAFU

pic.twitter.com/WXa0w64n0c

pic.twitter.com/WXa0w64n0c

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

阅读更多：随着 2500 万美元的治理“攻击”过去，Compound DAO 沉睡了

Fuzzland’s Chaofan Shou identified the cause of the hack, pointing to transactions on four networks: Ethereum, Aribtrum, Arbitrum, Polygon, and Optimism. He estimated the total funds at risk to be around $70,000.

Fuzzland 的 Chaofan Shou 确定了黑客攻击的原因，指出了四个网络上的交易：Ethereum、Aribtrum、Arbitrum、Polygon 和 Optimism。他估计面临风险的资金总额约为 70,000 美元。

According to analysis by security firm QuillAudits, the losses to attacks on the above networks totaled approximately $51,000. A further attack on Avalanche netted around $5,000. Funds were forwarded to a holding address on all networks.

根据安全公司 QuillAudits 的分析，上述网络的攻击造成的损失总计约为 51,000 美元。对 Avalanche 的进一步攻击造成了约 5,000 美元的损失。资金被转发到所有网络上的持有地址。

The affected periphery contract, ParaSwapRepayAdapter, isn’t part of the core Aave protocol and appears not to have been audited. It allows users to repay borrow positions using existing collateral, swapping assets via decentralized exchange ParaSwap.

受影响的外围合约 ParaSwapRepayAdapter 不是核心 Aave 协议的一部分，并且似乎尚未经过审核。它允许用户使用现有抵押品偿还借入头寸，通过去中心化交易所 ParaSwap 交换资产。

While the contract itself isn’t designed to hold user funds, the positive slippage on swaps leads to a gradual accrual of any leftover tokens.

虽然合约本身并不是为了持有用户资金而设计的，但掉期的正滑点会导致剩余代币逐渐增加。

In response to questions about the origin of the funds stolen, Aave delegate Marc Zeller said, “Someone raided the tip jar.”

在回答有关被盗资金来源的问题时，Aave 代表马克·泽勒 (Marc Zeller) 表示，“有人袭击了小费罐。”

Aave development contributor BGD Labs later responded with more detail, informing users that losses were limited to the affected contracts and couldn’t spread to the wider protocol. The post also highlights that there’s no risk of a token approval-related attack.

Aave 开发贡献者 BGD Labs 随后做出了更详细的回应，告知用户损失仅限于受影响的合约，不会扩散到更广泛的协议。该帖子还强调，不存在与代币批准相关的攻击的风险。

Today, a series of transactions across different networks were detected showing what it looked like an exploit on some Aave peripheral contracts (not part of the Aave Protocol itself).Before any further detailed report, we would like to clarify the following for transparency…

今天，检测到一系列跨不同网络的交易，显示出对某些 Aave 外围合约（不是 Aave 协议本身的一部分）的利用。在任何进一步的详细报告之前，我们想澄清以下内容以提高透明度……

Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism

阅读更多：塞内卡协议黑客事件凸显了以太坊代币审批机制的危险

Two days ago, Euler Finance founder Michael Bently accused Aave of sweeping “major security issues” under the rug, in response to Kulechov’s teasing over Euler’s $200 million hack in March last year.

两天前，Euler Finance 创始人 Michael Bently 指责 Aave 掩盖“重大安全问题”，以回应 Kulechov 去年 3 月对 Euler 2 亿美元黑客事件的调侃。

The comments, made in popular DeFi Telegram community LobsterDAO, resurfaced after today’s news, devolving into an argument between the two lending protocols.

这些评论是在流行的 DeFi Telegram 社区 LobsterDAO 上发表的，在今天的新闻发布后重新出现，演变成两种借贷协议之间的争论。

Bently accused the Aave team of “celebrating and tweeting misinformation” shortly after Euler was drained, as well as claiming that Aave is held to different security standards by the community at large.

Bently 指责 Aave 团队在 Euler 被耗尽后不久就“庆祝​​并发布错误信息”，并声称整个社区对 Aave 采取了不同的安全标准。

In November 2023, a reported security incident led to a number of Aave pools being paused, but full details remained unpublished, citing concern for potentially vulnerable ‘forks’.

2023 年 11 月，据报道的安全事件导致多个 Aave 矿池暂停，但完整细节尚未公布，理由是担心“分叉”可能存在漏洞。

However, plenty of Aave forks have been hacked in the past, with little sympathy from the original protocol.

然而，过去许多 Aave 分叉都曾遭到黑客攻击，原始协议并没有引起多少同情。

Today we received a report of an issue on a certain feature of the Aave Protocol. After validation by community developers, the guardian has taken the following temporary prevention measure (no funds are at risk):

今天，我们收到了有关 Aave 协议某些功能的问题报告。经社区开发者验证，监护人采取以下临时防范措施（资金不存在风险）：

Read more: Linea protocol ZeroLend is a ‘copy-paste’ Aave fork, linking to original’s docs

了解更多：Linea 协议 ZeroLend 是一个“复制粘贴”Aave 分支，链接到原始文档

Kulechov dismissed his own earlier comment as “shitposting” while downplaying today’s event as “basically a tip jar arbed.” Then referring to Bently’s “tiring” talk of the upcoming Euler v2, Kulechov snapped “go build it and fuck off.”

库列乔夫驳回了自己之前的评论，称其为“垃圾帖”，同时淡化了今天的活动，称其为“基本上是小费罐套利”。然后，在提到 Bently 对即将推出的 Euler v2 的“累人”谈话时，Kulechov 厉声说道：“去构建它，然后滚蛋。”

Aave is certainly no stranger to heated relationships with other organizations in DeFi. Earlier this year, risk management team Gauntlet decided to leave the protocol after frustrations boiled over.

Aave 当然对与 DeFi 领域其他组织的激烈关系并不陌生。今年早些时候，风险管理团队 Gauntlet 在不满情绪爆发后决定退出该协议。