重复 DeFi 黑客攻击还是新错误？

虽然 Aave 和 Maker（现在的 Sky）这两个 OG 协议的创始人在享受“DeFi 复兴时刻”的同时沉思《星际争霸》，但该行业的一些不太成熟的项目却因为错误的原因而被载入史册。 。

Two decentralized finance (DeFi) protocols were hacked on Friday for a combined total of over $5 million, while compromised wallets saw a further $5 million drained on Wednesday.

周五，两个去中心化金融 (DeFi) 协议遭到黑客攻击，损失总额超过 500 万美元，而周三，受攻击的钱包又损失了 500 万美元。

While the founders of two OG protocols, Aave and Maker (now Sky), enjoyed a game of Starcraft and reveled in a “DeFi renaissance moment,” some of the sector’s less well-established projects were going down in history for the wrong reasons.

虽然 Aave 和 Maker（现在的 Sky）这两个 OG 协议的创始人都在享受星际争霸游戏并陶醉于“DeFi 复兴时刻”，但该行业的一些不太成熟的项目却因为错误的原因而被载入史册。

Repeat DeFi hack or a new bug?

重复 DeFi 黑客攻击还是新错误？

First up was Onyx Protocol, whose $3.8 million loss was initially thought to be a repeat of the well-known bug that drained $2.1 million from the project toward the back end of last year.

首先是 Onyx Protocol，其 380 万美元的损失最初被认为是去年年底该项目损失 210 万美元的众所周知的错误的重复。

Hi @OnyxDAO, you may want to take a look pic.twitter.com/fcU6fHP4jr

嗨@OnyxDAO，您可能想看看 pic.twitter.com/fcU6fHP4jr

Read more: Compound DAO asleep at the wheel as $25M governance ‘attack’ passes

阅读更多：随着 2500 万美元的治理“攻击”过去，Compound DAO 沉睡了

Onyx is a fork of Compound Finance, which contains an infamous vulnerability in which freshly-launched, empty lending markets are briefly left open to a price manipulation attack, if not handled correctly.

Onyx是Compound Finance的一个分支，它包含一个臭名昭著的漏洞，如果处理不当，新推出的空贷款市场会短暂地遭受价格操纵攻击。

Given the popularity of Compound’s v2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity across the sector, and was initially identified as having been the cause of Onyx’s latest loss.

鉴于Compound v2代码库在快速分叉的DeFi开发者中很受欢迎，该漏洞在整个行业中被利用的频率令人震惊，最初被认为是造成Onyx最近亏损的原因。

However, as the team pointed out in a ‘post-mortem’ thread on X (formerly Twitter), this time the vulnerability also lay in the platform’s ‘NFT Liquidation contract.’ The attacker was able to drain the vUSD stablecoin, which was then sold off, causing it to depeg.

然而，正如该团队在 X（以前称为 Twitter）上的“事后分析”帖子中指出的那样，这次漏洞也存在于该平台的“NFT 清算合约”中。攻击者能够耗尽 vUSD 稳定币，然后该稳定币被抛售，导致其脱钩。

Something’s not adding up

有些东西没有加起来

Next came ‘bitcoin restaking’ protocol Bedrock, which appeared to be overly bullish on ETH, costing it around $2 million.

接下来是“比特币重新抵押”协议 Bedrock，该协议似乎过度看好 ETH，导致其损失约 200 万美元。

uniBTC by @Bedrock_DeFi was exploited today. The vulnerability allowed for you to mint uniBTC with eth! This function was likely leftover from the uniETH implementation 😅 @spreekaway pic.twitter.com/Xj69wQg2GX

@Bedrock_DeFi 的 uniBTC 今天被利用。该漏洞允许您使用 eth 铸造 uniBTC！该函数可能是 uniETH 实现遗留下来的 😅 @spreekaway pic.twitter.com/Xj69wQg2GX

Read more: ‘Cryptographic performance art’ drains contract one block after launch 

阅读更多：“加密表演艺术”在推出后耗尽了合约一个区块

The faulty code allowed users to mint Bedrock’s uniBTC token at a 1:1 ratio with staked ETH tokens, not taking into account the price difference between the two assets (valued at the time at approximately $65,000 vs $2,650, respectively).

有缺陷的代码允许用户以 1:1 的比例与质押的 ETH 代币铸造 Bedrock 的 uniBTC 代币，而不考虑两种资产之间的价格差异（当时的价值分别约为 65,000 美元和 2,650 美元）。

The uniBTC tokens were then sold off for an alternative wrapped bitcoin token, for a return of almost 25x.

然后，uniBTC 代币被出售为另一种包装的比特币代币，回报率接近 25 倍。

Crypto security auditor Dedaub claims to have identified the vulnerability in advance, stating that such a simple bug could be discovered and exploited automatically by ‘fuzzing bots.’

加密安全审计员 Dedaub 声称已经提前发现了该漏洞，并表示这样一个简单的错误可以被“模糊测试机器人”自动发现和利用。

Despite warning the Bedrock team two hours before the attack, there was no response due time zone differences. However, by raising the issue separately with Pendle, a platform with $30 million of exposure to uniBTC, further losses were successfully averted.

尽管在袭击发生前两小时向基岩团队发出了警告，但由于时区差异，他们没有做出任何回应。然而，通过单独向 Pendle（一个拥有 3000 万美元 uniBTC 敞口的平台）提出问题，成功避免了进一步的损失。

The Bedrock team responded to the incident, reassuring users that all uniBTC collateral remains intact. It estimated the losses at “approximately $2 million (mostly in DEX LPs),” adding that a “comprehensive reimbursement plan is being finalized.”

Bedrock 团队对这一事件做出了回应，向用户保证所有 uniBTC 抵押品均完好无损。它估计损失“约 200 万美元（主要是 DEX LP）”，并补充说“全面的赔偿计划正在敲定”。

Compromised keys?

密钥受损？

On Wednesday, real-world-asset-focused Truflation warned of “some abnormal activity,” which it attributed to a malware attack.

周三，专注于现实世界资产的 Truflation 警告称，存在“一些异常活动”，并将其归因于恶意软件攻击。

On September 25th, 2024, the Truflation team detected some abnormal activity. An attacker launched an attack using malware. We are currently monitoring the situation and are taking measures to protect funds while we are investigating and working with law enforcement. The…

2024 年 9 月 25 日，Truflation 团队检测到一些异常活动。攻击者使用恶意软件发起了攻击。我们目前正在监控局势，并在调查和与执法部门合作的同时采取措施保护资金。这…

Read more: Chelsea FC sponsor BingX tried to hide $40M hack behind ‘wallet maintenance’

阅读更多：切尔西足球俱乐部赞助商 BingX 试图在“钱包维护”背后隐藏 4000 万美元的黑客攻击

Blockchain investigator ZachXBT traced total losses of over $5 million from addresses identified as the project’s “treasury multisig and personal wallets,” providing a list of addresses via his Investigations Telegram channel.

区块链调查员 ZachXBT 追踪到该项目“财务多重签名和个人钱包”地址的总损失超过 500 万美元，并通过他的 Investigations Telegram 频道提供了地址列表。

While the initial disclosure was scant on details, it does mention a reward to any whitehats able to aid the investigation. This was followed up with an on-chain message to the hacker, offering a 10% ‘bounty’ for the return of the funds.

虽然最初披露的细节很少，但它确实提到了对任何能够协助调查的白帽分子的奖励。随后向黑客发送一条链上消息，为返还资金提供 10% 的“赏金”。

Assuming funds aren’t returned before 8am (UTC) on Saturday, the bounty will be opened up to the public in return for information leading to a conviction.

假设资金在周六上午 8 点（世界标准时间）之前未归还，赏金将向公众开放，以换取导致定罪的信息。

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

有小费吗？给我们发送电子邮件或 ProtonMail。如需了解更多消息，请在 X、Instagram、Bluesky 和 ​​Google News 上关注我们，或订阅我们的 YouTube 频道。