可疑的 Alex Bridge 漏洞导致 430 万美元消失

5 月 14 日，CertiK 报告称，在可疑的合约升级后，基于 BNB 智能链的 Alex 协议桥被提取了 430 万美元。升级由协议的部署者帐户执行，涉及用未经验证的字节码替换实现地址。随后，资金被转移到一个未知的地址，引发了人们对可能的私钥泄露的担忧。

Alex Bridge Exploited for $4.3 Million in Suspicious Withdrawals

Alex Bridge 因可疑提款而被利用 430 万美元

May 14, 2023 - The Alex protocol bridge, a gateway connecting the Bitcoin layer-2 protocol to other networks, has fallen victim to a sophisticated exploit, resulting in the loss of approximately $4.3 million in digital assets.

2023 年 5 月 14 日 - Alex 协议桥（将比特币第 2 层协议连接到其他网络的网关）已成为复杂漏洞的受害者，导致约 430 万美元的数字资产损失。

Blockchain security platform CertiK released a report on May 14, detailing the incident that occurred just hours after the bridge's contract was mysteriously upgraded five times in rapid succession. The upgrades, initiated by the protocol's deployer account, raised immediate concerns of a potential private key compromise.

区块链安全平台 CertiK 于 5 月 14 日发布了一份报告，详细介绍了该桥合约快速连续神秘升级五次后仅几个小时发生的事件。由协议部署者帐户发起的升级立即引起了对潜在私钥泄露的担忧。

The new implementation address, ending in 7058, contained unverified bytecode, rendering it indecipherable to human readers. Within an hour of the upgrades, the proxy address for the bridge contract executed an unverified function on an address ending in 4848E. This action triggered the transfer of a substantial amount of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) from the BNB Smart Chain leg of the bridge into the 484E address.

新的实现地址以 7058 结尾，包含未经验证的字节码，导致人类读者无法解读。升级后一小时内，桥接合约的代理地址在以 4848E 结尾的地址上执行了未经验证的功能。这一行动触发了大量与币安挂钩的比特币（BTC）、美元硬币（USDC）和糖王国奥德赛（SKO）从桥的 BNB 智能链分支转移到 484E 地址。

The attacker's motive appears to extend beyond the BNB Smart Chain network. At 5:41 pm UTC, minutes after the exploit on BNB Smart Chain, a similar series of upgrades occurred on Ethereum. The deployer upgraded the "artist address" to an unverified contract, followed by an attempt to withdraw funds from the "team address" by an account ending in 05ed. However, the withdrawal attempts failed, returning a "not owner" error.

攻击者的动机似乎超出了 BNB 智能链网络的范围。世界标准时间下午 5:41，即 BNB 智能链漏洞利用几分钟后，以太坊上发生了一系列类似的升级。部署者将“艺术家地址”升级为未经验证的合约，随后尝试通过以 05ed 结尾的账户从“团队地址”提取资金。然而，提款尝试失败，返回“非所有者”错误。

The 05ed account, which exhibited no activity before May 10, raised suspicions of malicious intent. Its creation of three unverified contracts within a short period suggested control by a malicious actor.

05ed 帐户在 5 月 10 日之前没有任何活动，引发了恶意意图的怀疑。它在短时间内创建了三份未经验证的合约，表明其受到恶意行为者的控制。

At the time of this report's publication, the Alex team had yet to confirm the exploit or comment on the incident. The attack marks a growing trend of protocol exploits in the decentralized finance (DeFi) space, with Equalizer and Gnus.ai reporting losses exceeding $3.5 million combined in May alone.

截至本报告发布时，Alex 团队尚未确认该漏洞或对此事件发表评论。这次攻击标志着去中心化金融 (DeFi) 领域协议漏洞利用的增长趋势，仅 5 月份，Equalizer 和 Gnus.ai 报告的损失合计就超过 350 万美元。

The Alex bridge incident highlights the ongoing security risks associated with DeFi platforms and the need for robust security measures to protect user funds. CertiK's comprehensive investigation underscores the importance of thorough audits and regular security reviews to identify and mitigate potential vulnerabilities.

Alex Bridge 事件凸显了与 DeFi 平台相关的持续安全风险，以及需要采取强有力的安全措施来保护用户资金。 CertiK 的全面调查强调了彻底审核和定期安全审查以识别和减少潜在漏洞的重要性。

The incident serves as a stark reminder that the security of DeFi platforms is paramount, and users should exercise due diligence in selecting and interacting with protocols. Developers must prioritize the implementation of rigorous security protocols and transparency to instill trust and confidence among users.

该事件强烈提醒我们，DeFi 平台的安全至关重要，用户在选择协议和与协议交互时应尽职尽责。开发人员必须优先考虑实施严格的安全协议和透明度，以在用户之间灌输信任和信心。