Alex Protocol Bridge 遭黑客攻击，损失 430 万美元

根据 CertiK 的报告，BNB 智能链上的 Alex 协议桥在可疑升级后遭受了 430 万美元的攻击。升级由协议部署者执行，跨网络转移资产。同样，以太坊上的 Alex 桥也进行了升级，有一个未知账户尝试提款。 Alex 团队尚未做出回应。

Alex Protocol Bridge Hack: $4.3 Million Exploited in Suspicious Withdrawals

Alex Protocol Bridge 黑客攻击：可疑提款被利用 430 万美元

On May 14th, the blockchain security platform CertiK reported a major security breach involving the Alex protocol bridge on the BNB Smart Chain network, resulting in malicious withdrawals totaling $4.3 million.

5 月 14 日，区块链安全平台 CertiK 报告称，BNB 智能链网络上的 Alex 协议桥发生重大安全漏洞，造成总计 430 万美元的恶意提款。

Alex, a Bitcoin layer-2 protocol, facilitates decentralized finance applications on the Bitcoin network. Its bridges serve as gateways for transferring assets between Bitcoin and other blockchain networks, such as BNB Smart Chain and Ethereum.

Alex 是比特币第 2 层协议，促进比特币网络上的去中心化金融应用程序。它的桥梁充当比特币和其他区块链网络（例如 BNB 智能链和以太坊）之间转移资产的网关。

Blockchain data analysis reveals that the Alex deployer account executed five identical upgrades to the "Bridge Endpoint" contract on BNB Smart Chain starting at 3:56 pm UTC. Following these upgrades, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTCUSD), USD Coin (USDCUSD), and Sugar Kingdom Odyssey (SKO) tokens were siphoned from the bridge's BNB Smart Chain side.

区块链数据分析显示，Alex 部署者帐户从世界标准时间下午 3:56 开始，对 BNB 智能链上的“Bridge Endpoint”合约执行了五次相同的升级。在这些升级之后，价值约 430 万美元的币安挂钩比特币 (BTCUSD)、美元硬币 (USDCUSD) 和 Sugar Kingdom Odyssey (SKO) 代币从桥的 BNB 智能链一侧被抽走。

CertiK's investigation suggests that the incident was likely orchestrated through a "possible private key compromise," as the upgrades were initiated by the protocol's deployer account.

CertiK 的调查表明，该事件很可能是通过“可能的私钥泄露”精心策划的，因为升级是由协议的部署者帐户发起的。

The upgrade transaction modified the implementation address to one ending in 7058. This new implementation comprised unverified bytecode, rendering it unreadable to humans.

升级事务将实现地址修改为以 7058 结尾的地址。这一新实现包含未经验证的字节码，使其无法被人类读取。

Approximately 48 minutes after the initiation of these upgrades, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. This resulted in the transfer of 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC to the 484E address at 4:44 pm.

这些升级开始后大约 48 分钟，桥接合约的代理地址在以 4848E 结尾的地址上调用了未经验证的函数。这导致 16 BTC（按当前价格计算为 983,000 美元）、270 万个 SKO（75,000 美元）和价值 330 万美元的 USDC 于下午 4:44 转移到 484E 地址。

The attacker's intentions may extend beyond the BNB Smart Chain network. At 5:41 pm, shortly after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades occurred on Ethereum. In this instance, the deployer upgraded the "artist address" to an unverified contract. Immediately afterward, an account ending in 05ed attempted to withdraw funds from the "team address." However, these withdrawals failed, eliciting a "not owner" error.

攻击者的意图可能超出 BNB 智能链网络。下午 5:41，BNB 智能链可疑升级后不久，以太坊上也发生了一系列类似的 Alex 升级。在本例中，部署者将“艺术家地址”升级为未经验证的合约。紧接着，一个以 05ed 结尾的账户试图从“团队地址”提取资金。然而，这些提款失败，引发“非所有者”错误。

The 05ed account, with no prior transaction history before May 10th, has since created three unverified contracts, raising concerns that it might be controlled by a malicious actor.

05ed 账户在 5 月 10 日之前没有任何交易历史，此后创建了三个未经验证的合约，引发了人们对其可能被恶意行为者控制的担忧。

As of the time of publication, the Alex team has not publicly acknowledged the exploit or provided any official statement regarding the incident.

截至发稿时，Alex 团队尚未公开承认该漏洞，也没有就该事件提供任何官方声明。

The Alex bridge hack is not an isolated event. In recent weeks, several other protocols have fallen victim to potential exploits. On May 13th, decentralized exchange Equalizer reported the theft of over 2,000 of its native tokens, which were gradually siphoned off in small increments over several days. Moreover, the Gnus.ai hack on May 6th resulted in losses exceeding $1.27 million.

亚历克斯桥被黑客攻击并不是一个孤立的事件。最近几周，其他几个协议也成为了潜在漏洞的受害者。 5 月 13 日，去中心化交易所 Equalizer 报告称，其 2,000 多个原生代币被盗，这些代币在几天内逐渐被小幅吸走。此外，5 月 6 日的 Gnus.ai 黑客攻击造成的损失超过 127 万美元。

These incidents highlight the growing prevalence of security breaches in the burgeoning decentralized finance ecosystem. It is imperative that protocol developers prioritize robust security measures and conduct thorough audits to minimize the risk of exploits and protect user funds.

这些事件突显了新兴的去中心化金融生态系统中安全漏洞日益普遍。协议开发人员必须优先考虑强有力的安全措施并进行彻底的审核，以最大限度地降低被利用的风险并保护用户资金。