研究人员发现了关键的加密协议缺陷，获得 25 万美元奖励

安全研究员 Marco Croc 因发现 Curve Finance 中的漏洞而获得 25 万美元奖励，该漏洞可能让黑客利用数百万美元。该漏洞是一个可重入漏洞，可以操纵余额并从流动性池中提取资金。 Curve Finance 承认该漏洞的严重性，并向 Croc 授予了最高的漏洞赏金。

Researcher Uncovers Critical Crypto Protocol Vulnerability, Earns $250,000 Bounty

研究人员发现了关键的加密协议漏洞，获得了 250,000 美元的赏金

New York, NY - [Date] - Security researcher Marco Croc, operating under the pseudonym Kupia Security, has been bestowed with a $250,000 bug bounty for identifying a reentrancy vulnerability within the Curve Finance decentralized finance (DeFi) protocol. This flaw has been implicated in several high-profile crypto hacks, resulting in the illicit withdrawal of millions of dollars.

纽约，纽约 - [日期] - 安全研究员 Marco Croc（化名 Kupia Security）因发现 Curve Finance 去中心化金融 (DeFi) 协议中的重入漏洞而获得 25 万美元的漏洞赏金。这一缺陷与数起备受瞩目的加密货币黑客攻击有关，导致数百万美元被非法提取。

In a detailed analysis posted on the X thread, Croc laid bare the mechanics of the bug, demonstrating how it could be exploited to manipulate account balances and extract funds from liquidity pools. Curve Finance promptly acknowledged the existence of potential security flaws and deemed the vulnerability to be of utmost severity.

在 X 线程上发布的详细分析中，Croc 揭示了该漏洞的机制，展示了如何利用该漏洞来操纵账户余额并从流动性池中提取资金。 Curve Finance 立即承认存在潜在的安全缺陷，并认为该漏洞非常严重。

Following a thorough investigation, Curve Finance awarded Croc the maximum allowable bug bounty of $250,000. "Curve recognized the severity of the vulnerability and acted swiftly to address it," Croc remarked.

经过彻底调查后，Curve Finance 授予 Croc 最高 250,000 美元的漏洞赏金。 Croc 表示：“Curve 认识到了该漏洞的严重性，并迅速采取行动予以解决。”

Despite the critical nature of the flaw, Curve Finance expressed confidence that its security infrastructure would have mitigated any potential losses. Nonetheless, the protocol emphasized the potentially severe consequences of a full-blown security breach.

尽管该缺陷性质严重，但 Curve Finance 表示有信心其安全基础设施将减轻任何潜在损失。尽管如此，该协议强调了全面安全漏洞可能带来的严重后果。

"While we believe our system would have ultimately recovered the funds in case of a breach, any security incident has the potential to cause significant panic in the market," Curve Finance stated.

Curve Finance 表示：“虽然我们相信我们的系统最终会在发生泄露的情况下收回资金，但任何安全事件都有可能引起市场的严重恐慌。”

This revelation comes on the heels of Curve Finance's recovery from a $62 million hack in July 2022. In response to the incident, the protocol implemented a reimbursement plan totaling $49.2 million in assets to liquidity providers (LPs).

这一消息是在 Curve Finance 从 2022 年 7 月遭受的 6200 万美元黑客攻击中恢复过来之后发布的。为了应对这一事件，该协议向流动性提供者 (LP) 实施了一项总计 4920 万美元资产的补偿计划。

On-chain data reveals that 94% of tokenholders approved the disbursement of over $49.2 million to compensate for losses incurred by the Curve, JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET) pools. The Curve DAO (CRV) tokens were allocated from the community fund, and the final payout accounted for the tokens retrieved since the hack.

链上数据显示，94% 的代币持有者批准支付超过 4920 万美元，以补偿 Curve、JPEG'd (JPEG)、Alchemix (ALCX) 和 Metronome (MET) 矿池造成的损失。 Curve DAO (CRV) 代币是从社区基金中分配的，最终支付的金额是自黑客攻击后收回的代币。

"The overall ETH (ETH) to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV, and the total to distribute was calculated as 55'544'782.73 CRV," the proposal outlined.

该提案概述道：“要回收的 ETH (ETH) 总量计算为 5919.2226 ETH，要回收的 CRV 计算为 34,733,171.51 CRV，要分配的总量计算为 55'544'782.73 CRV。”

The vulnerability exploited by the attacker stemmed from stable pools that utilized certain versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 were found to be susceptible to reentrancy attacks, a common tactic used in DeFi hacks.

攻击者利用的漏洞源于使用某些版本的 Vyper 编程语言的稳定池。 0.2.15、0.2.16 和 0.3.0 版本被发现容易受到重入攻击，这是 DeFi 黑客中常用的策略。

Croc's discovery underscores the ongoing challenges faced by the crypto industry in guarding against cyber threats. While protocols like Curve Finance invest heavily in security measures, vulnerabilities can still arise, putting user funds at risk.

Croc 的发现凸显了加密行业在防范网络威胁方面所面临的持续挑战。尽管像 Curve Finance 这样的协议在安全措施上投入了大量资金，但漏洞仍然可能出现，使用户资金面临风险。

The $250,000 bounty awarded to Croc serves as a testament to the importance of responsible disclosure and ethical hacking in safeguarding the crypto ecosystem. By uncovering and reporting critical flaws, researchers like Croc play a vital role in protecting the integrity of the industry and ensuring the safety of user assets.

授予 Croc 的 25 万美元赏金证明了负责任的披露和道德黑客在保护加密生态系统方面的重要性。通过发现和报告关键缺陷，Croc 等研究人员在保护行业完整性和确保用户资产安全方面发挥着至关重要的作用。