Web3 领域 DeFi 漏洞不断升级，Onyx 被利用价值 380 万美元

由于其不可替代代币（NFT）清算合约中的漏洞，金融（DeFi）协议被利用了 380 万美元。

DeFi protocol Onyx has lost $3.8 million in a new attack, which was largely enabled by a known vulnerability in Compound Finance’s codebase v2.

DeFi 协议 Onyx 在一次新的攻击中损失了 380 万美元，这主要是由 Compound Finance 代码库 v2 中的一个已知漏洞造成的。

The blockchain security firm PeckShield has identified the attacker's use of a vulnerability in the NFT liquidation contract, which led to the exploitation. The vulnerability is present in Compound Finance's v2 codebase, which is used by several DeFi protocols.

区块链安全公司 PeckShield 已发现攻击者利用了 NFT 清算合约中的漏洞，从而导致了该漏洞的利用。该漏洞存在于Compound Finance v2 代码库中，多个 DeFi 协议都使用该代码库。

The vulnerability can be exploited when a DeFi protocol has an “empty market” — a market with no liquidity, which usually happens when launching new markets.

当 DeFi 协议存在“空市场”（没有流动性的市场）时，该漏洞可能会被利用，这种情况通常在推出新市场时发生。

The attacker drained 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 in the DAI stablecoin, and $50,000 in the USDT stablecoin, totaling over $3.8 million in losses.

攻击者耗尽了 410 万虚拟美元 (VUSD)、735 万 Onyxcoin (XCN)、0.23 Wrapped Bitcoin (WBTC)、5,000 美元的 DAI 稳定币和 50,000 美元的 USDT 稳定币，总计损失超过 380 万美元。

A previous attack on Onyx occurred in October 2023, which was also enabled by the same vulnerability in the Compound Finance codebase. Another exploitation occurred in Hundred Finance, which was attacked in April 2023.

此前对 Onyx 的攻击发生在 2023 年 10 月，也是由 Compound Finance 代码库中的相同漏洞导致的。另一次利用发生在Hundred Finance，该公司于2023年4月遭到攻击。

The DeFi protocol later acknowledged the faulty NFT contract as the primary cause of the attack, while the Compound vulnerability played a role.

DeFi 协议后来承认，有缺陷的 NFT 合约是此次攻击的主要原因，而Compound 漏洞也起了一定作用。

According to PeckShield, the contract failed to validate user input properly, which allowed the attacker to inflate self-liquidation rewards and drain funds.

据 PeckShield 称，该合约未能正确验证用户输入，这使得攻击者能够夸大自我清算奖励并耗尽资金。

DeFi exploits have become a pressing issue in Web3, with several protocols being attacked in 2024. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract.

DeFi 漏洞利用已成为 Web3 中的一个紧迫问题，多个协议在 2024 年受到攻击。就在 Onyx 攻击前几天，流动质押协议 Bedrock 由于其 uniBTC 合约中的漏洞损失了超过 200 万美元。

Another protocol, Bankroll Network, suffered a $230,000 loss when an attacker exploited a faulty “buyFor” function.

另一个协议 Bankroll Network 在攻击者利用错误的“buyFor”功能时遭受了 230,000 美元的损失。

After stealing the funds, attackers often convert them into Ether to launder the funds through cryptocurrency mixers like Tornado Cash, which complicates the efforts of cybersecurity firms to trace the stolen funds.

窃取资金后，攻击者经常将其转换为以太币，通过 Tornado Cash 等加密货币混合器洗钱，这使得网络安全公司追踪被盗资金的工作变得更加复杂。

Crypto hacks have been escalating in 2024, with the first quarter seeing $542.7 million stolen, a 42% increase from the same period in 2023. July was particularly severe, with over $266 million stolen across 16 attacks.

2024 年，加密货币黑客攻击不断升级，第一季度被盗金额达 5.427 亿美元，较 2023 年同期增长 42%。7 月份的情况尤为严重，16 次攻击导致超过 2.66 亿美元被盗。

This includes a $230 million theft from Indian exchange WazirX, which was the second-largest hack of the year so far.

其中包括印度交易所 WazirX 的 2.3 亿美元盗窃案，这是今年迄今为止第二大黑客攻击事件。

The WazirX hacker has been attempting to funnel the stolen funds, consolidating $57 million worth of ETH into new addresses by July 22.

WazirX 黑客一直试图转移被盗资金，并在 7 月 22 日之前将价值 5700 万美元的 ETH 整合到新地址中。

Most recently, Singapore-based cryptocurrency exchange BingX’s estimated loss from a suspected hack on Friday more than doubled to over $52 million, following further investigations.

最近，经过进一步调查，总部位于新加坡的加密货币交易所 BingX 因周五涉嫌黑客攻击而造成的损失估计增加了一倍多，达到 5200 万美元以上。