abracadabra/spell defi漏洞利用加密协议的数百万美元

黑客设法从该平台的智能合同系统中耗尽了资金，称为“大锅”，价值约为1300万美元。

A DeFi exploiter has drained approximately $13 million from Abracadabra/Spell’s smart contract system, known as cauldrons, in an attack that took advantage of a vulnerability in the protocol’s integration with GMX V2’s liquidity pools, according to Peckshield.

根据Peckshield的说法，一名Defi Exploiter从Abracadabra/Spell的智能合同系统（称为Cauldrons）中排出了约1300万美元，这是一项攻击，利用了该协议与GMX V2的流动性池的脆弱性。

The security firm reports that the attacker stole over 6,200 ETH, exploiting a gap in the protocol’s smart contracts, which allowed them to siphon off a portion of the funds.

该安全公司报告说，攻击者偷走了超过6,200的ETH，利用了协议智能合约中的差距，这使他们能够从一部分资金中窃取一部分。

How the DeFi Exploit Took Place

如何发生Defi漏洞

Abracadabra/Spell’s cauldrons leverage liquidity from the GMX decentralized exchange to facilitate on-chain lending and borrowing. The attack appears to have been a well-crafted exploitation of the protocol’s interaction with GMX V2’s V2 liquidity pools.

Abracadabra/Spell的大锅利用GMX分散交易的流动性来促进链贷款和借贷。这次攻击似乎是对该协议与GMX V2的V2流动性池的互动进行精心制作的剥削。

Researchers suggest the attacker used a flash loan, a commonly employed DeFi strategy where users borrow funds without collateral, and manipulated the liquidation process within this context.

研究人员建议攻击者使用Flash Loan，这是一种常用的Defi策略，在这种情况下，用户借入资金，并在这种情况下操纵清算过程。

According to blockchain expert Weilin Li, the attacker took advantage of a specific feature in Abracadabra’s stablecoin system, Magic Internet Money (MIM), which allowed them to borrow and subsequently liquidate funds in a way that bypassed standard collateral requirements.

根据区块链专家Weilin Li的说法，攻击者利用了Abracadabra的Stablecoin System，Magic Internet Money（MIM）的特定功能，这使他们能够借用并以绕过标准旁边要求的方式清算资金。

Li further explained that the attacker’s profits stemmed from incentives tied to liquidation events, ultimately ensuring the success of their exploit.

李进一步解释说，攻击者的利润源于与清算事件相关的激励措施，最终确保了他们的剥削成功。

GMX V2: Two-Step Trading Process and the Exploit Surface

GMX V2：两步交易过程和利用表面

The exploit seems to have been made possible by a potential gap in GMX V2’s two-step trading process, designed to prevent front-running. This process involves "keepers," who handle order creation and fulfillment.

GMX V2的两步交易过程中的潜在差距似乎使该漏洞利用成为可能，该过程旨在防止前线运行。此过程涉及处理订单创建和实现的“守护者”。

The interval between placing an order and its execution might have provided the attacker with a chance to manipulate the system. However, despite this, GMX developers confirmed that their core contracts remained secure and unaffected by the breach.

下订单及其执行之间的间隔可能为攻击者提供了操纵系统的机会。但是，尽管如此，GMX开发人员确认他们的核心合同仍然安全，不受违规的影响。

A statement from a GMX developer clarified that the issue was tied to Abracadabra’s integration with GMX’s pools, not any weakness in GMX’s core system. The developer expressed their regret for the situation and assured the community that an investigation was underway to determine the exact cause of the exploit.

GMX开发人员的一份声明澄清说，该问题与Abracadabra与GMX池的整合有关，而不是GMX的核心系统中的任何弱点。开发商对这种情况表示遗憾，并向社区保证，正在进行调查以确定剥削的确切原因。

Stolen Funds Moved to Ethereum

被盗的资金移至以太坊

Following the breach, the stolen funds were quickly bridged from Arbitrum, the layer 2 scaling solution, to the Ethereum mainnet. This event serves as a reminder of the vulnerabilities that can exist within the rapidly evolving world of decentralized finance.

违反后，被盗的资金从索赔（第2层缩放解决方案）迅速桥接到以太坊主网。这项事件提醒人们在分散财务的快速发展的世界中可能存在的脆弱性。

Earlier this year, another exploiter targeted Abracadabra’s MIM stablecoin, resulting in losses of nearly $6.5 million. The ongoing concerns regarding vulnerabilities in smart contract systems highlight the urgent need for more robust security practices in the DeFi space.

今年早些时候，另一位剥削者针对Abracadabra的Mim Stablecoin，导致损失近650万美元。对智能合同系统中漏洞的持续担忧突显了在Defi空间中对更强大的安全实践的迫切需求。