安全研究人员发现 Curve Finance Protocol 中的严重漏洞，获得 250,000 美元赏金

Kupia Security 的安全研究员 Marco Croc 在 DeFi 协议 Curve Finance 中发现了一个严重的重入漏洞，可能导致数百万人被盗。 Curve Finance 承认了该漏洞，并为 Croc 的关键贡献提供了 25 万美元的赏金。这一事件凸显了 DeFi 领域持续存在的安全威胁。

Security Researcher Nets $250,000 Bounty for Uncovering Critical Vulnerability in Curve Finance Protocol

安全研究人员因发现 Curve Finance 协议中的关键漏洞而获得 250,000 美元的赏金

A dedicated security researcher has been handsomely rewarded for their astute discovery of a critical vulnerability in the Curve Finance decentralized finance (DeFi) protocol, a flaw that had previously enabled cybercriminals to pilfer millions from cryptocurrency ecosystems.

一名专门的安全研究人员因敏锐地发现了 Curve Finance 去中心化金融 (DeFi) 协议中的一个关键漏洞而获得了丰厚的奖励，该漏洞此前曾使网络犯罪分子从加密货币生态系统中窃取数百万美元。

The vulnerability, meticulously analyzed and exposed by Marco Croc, a cybersecurity expert from Kupia Security, revolved around a reentrancy issue. This flaw could have been exploited to manipulate balances and siphon unauthorized funds from liquidity pools. Croc meticulously documented his findings in a series of posts on Medium, illuminating the potential risks and manipulations that could have been perpetrated due to the bug.

Kupia Security 的网络安全专家 Marco Croc 仔细分析并揭露了该漏洞，该漏洞与重入问题有关。该缺陷可能被利用来操纵余额并从流动性池中抽取未经授权的资金。 Croc 在 Medium 上发表了一系列帖子，详细记录了他的发现，阐明了该错误可能造成的潜在风险和操纵行为。

Curve Finance responded swiftly to the disclosure, promptly launching a thorough investigation into the matter. Recognizing the significant threat posed by the vulnerability, the protocol awarded Croc the highest possible bounty of $250,000 for his invaluable contribution.

Curve Finance对此披露迅速做出反应，立即对此事展开彻底调查。认识到该漏洞造成的重大威胁，该协议授予 Croc 250,000 美元的最高奖金，以表彰他做出的宝贵贡献。

"Curve Finance recognized the severity of the vulnerability," Croc remarked, underscoring the importance of the protocol's swift and decisive action.

Croc 表示：“Curve Finance 认识到了该漏洞的严重性。”他强调了该协议迅速而果断行动的重要性。

While the protocol initially assessed the vulnerability as "not as dangerous," expressing confidence in its ability to retrieve any potentially stolen funds, Curve Finance acknowledged that the occurrence of such a security incident could have triggered widespread panic within the community.

虽然该协议最初评估该漏洞“不那么危险”，并表示对其找回任何潜在被盗资金的能力充满信心，但 Curve Finance 承认，此类安全事件的发生可能会引发社区内的广泛恐慌。

This acknowledgment resonates with Curve Finance's recent recovery from a massive $62 million hack in July. In an effort to mitigate the impact on their users, the protocol and its community implemented comprehensive compensation measures.

这一承认与 Curve Finance 最近从 7 月份遭受的 6200 万美元的大规模黑客攻击中恢复过来的情况相呼应。为了减轻对用户的影响，该协议及其社区实施了全面的补偿措施。

Curve Finance resolved to reimburse $49.2 million worth of assets to affected liquidity providers (LPs). This decision was overwhelmingly endorsed by tokenholders, with an impressive 94% approving the disbursement to cover losses across multiple pools, including Curve, JPEG'd (JPEG), Alchemix (ALCX), and Metronome (MET).

Curve Finance 决定向受影响的流动性提供者 (LP) 偿还价值 4,920 万美元的资产。这一决定得到了代币持有者的压倒性支持，高达 94% 的代币持有者批准了这笔支出，以弥补多个矿池的损失，包括 Curve、JPEG'd (JPEG)、Alchemix (ALCX) 和 Metronome (MET)。

The compensation proposal meticulously outlined the amounts to be recovered and redistributed: "The overall ETH to recover was calculated as 5919.2226 ETH, the CRV to recover was calculated as 34,733,171.51 CRV and the total to distribute was calculated as 55'544'782.73 CRV."

补偿提案详细列出了要收回和重新分配的金额：“收回的 ETH 总量计算为 5919.2226 ETH，收回的 CRV 计算为 34,733,171.51 CRV，分配的总量计算为 55'544'782.73 CRV。”

The attacker had capitalized on a bug residing in specific versions of the Vyper programming language. Versions 0.2.15, 0.2.16, and 0.3.0 were thus rendered susceptible to reentrancy attacks. This incident starkly underscores the persistent threats lurking within the DeFi landscape, emphasizing the imperative for implementing rigorous security measures.

攻击者利用了 Vyper 编程语言特定版本中存在的错误。因此，版本 0.2.15、0.2.16 和 0.3.0 容易受到重入攻击。这一事件赤裸裸地凸显了 DeFi 领域潜伏的持续威胁，强调了实施严格安全措施的必要性。

Conclusion

结论

The discovery and successful remediation of this critical vulnerability serve as a testament to the indispensable role of security researchers in safeguarding the burgeoning DeFi ecosystem. Protocols and their communities must prioritize robust security practices and reward those who contribute to enhancing the integrity of the digital asset landscape. By working together, we can mitigate risks, restore trust, and pave the way for the continued growth and adoption of decentralized finance.

这一严重漏洞的发现和成功修复证明了安全研究人员在保护蓬勃发展的 DeFi 生态系统中发挥着不可或缺的作用。协议及其社区必须优先考虑稳健的安全实践，并奖励那些为增强数字资产格局的完整性做出贡献的人。通过共同努力，我们可以降低风险，恢复信任，并为去中心化金融的持续增长和采用铺平道路。