近日,去中心化金融(DeFi)因最近几个关键平台遭受的一系列攻击而陷入困境,有专业人士统计,总计约 7000 万美元被盗。
In recent days, DeFi has been trapped by a series of recent attacks on several key platforms, with professional statistics totalling approximately $70 million stolen.
其中,包括来自Curve Finance的盗窃、借贷协议 Alchemix、收益平台 Pendle 和合成资产工具 Metronome 以及去中心化 NFT 协议 JPEG 也都受到了打击。
Among them were thefts from Curve Finance, loan agreements, Alchemix, profit platform Pendle and synthetic asset tool Metronome, and decentralized NFT agreement JPEG.
以Curve Finance为例,它是最常用、最有影响力的去中心化交易所之一,专注于稳定币和其他低波动性资产的交易。据悉,Curve Finance作为Vyper语言的使用者,其多个稳定币池遭到攻击并损失了约2500万美元。
In the case of Curve Finance, one of the most common and influential decentralized exchanges, it focuses on stabilizing currency and other low-volatile assets. As a Vyper-language user, Curve Finance is known to have been attacked and lost about $25 million in several stable currency pools.
具体来看,7月30日,智能合约编程语言Vyper的部分版本被发现存在严重漏洞,包括CurveFinance在内的重要项目因此遭受了攻击,损失数千万美元,此次攻击事件为智能合约的安全性敲响了警钟。
Specifically, on 30 July, part of the version of the smart contract programming language, Vyper, was found to have been seriously flawed, as a result of which important projects, including CurveFinance, were attacked, with a loss of tens of millions of dollars, and the attack was a wake-up call for the security of the smart contract.
本次漏洞源于Vyper语言版本0.2.15至0.3.0之间的重入锁机制失效。对于区块链项目来说,重入攻击(ReentrancyAttack)是智能合约领域的一个常见漏洞。它指的是合约函数可以在一个函数执行过程中,被同一合约的其他函数再次调用,如果合约逻辑不严密,就可能被利用进行重复提取资金等恶意操作。
This gap stems from the failure of the re-locking mechanism between the Vyper language version 0.2.15 and 0.3. For block chain projects, re-entry into attack (ReentrancyAtttack) is a common gap in the realm of smart contracts. It means that a contract function can be called again by other functions of the same contract during the execution of a function, and that if the contract is not well-structured, it may be used for malicious operations such as double withdrawals.
举例来说,假设有一个智能合约提供了存款和取款的功能,取款函数的逻辑是先将用户的余额减去取款金额,然后将取款金额转给用户,如果用户是一个恶意合约,它可以在接收到转账时,再次调用取款函数,因为此时合约还没有更新用户的余额,所以可以重复取款,这样就可以将银行合约中的资金全部转走。
For example, assuming that an intelligent contract provides for deposit and withdrawal functions, the logic of the withdrawal function is to first deduct the balance of the user and then transfer the withdrawal amount to the user, who, if it is a malicious contract, can call the withdrawal function again at the time of receipt of the transfer, since the contract does not update the balance of the user at that time, so that the withdrawal can be repeated, so that all funds in the bank contract can be transferred.
值得一提的是,Curve 不是第一次出现被黑客攻击的事件了,作为 Defi 的顶级项目都无法免疫黑客攻击,普通的项目方更应该在黑客攻击端和合约防守端重视起来。
It is worth mentioning that it was not the first time that Curve was hit by hackers, that none of the top projects in Defi was immune to hacker attacks, and that the ordinary ones should be more focused on both the hacking end and the contractual defense end.
那么针对进攻端,项目方可以做哪些准备呢?OKLink 团队推荐项目方通过链上标签系统提前辨别有黑历史的钱包,阻止有过异常行为地址的交互。此次Curve 的其中一个攻击者的地址就有过不良记录曾被 OKLink 记录,其行为模式也一定程度上超出常理,有三日交易笔数过百。
So what can the project side do about the attack end? The OKLink team recommends that the project side identify the wallets with a black history in advance through the chain label system, preventing the interaction of an unusual behavioral address. One of Curve’s attackers has had a bad record of having been recorded by the OKLink, and his behavior is somewhat out of the ordinary.
项目方又如何在防守端进行防御呢?重入攻击此类的安全事件一定还会发生,所以除了上述在攻防两端我们需要付出的努力外,项目方需要做好应急预案,当受到黑客攻击时能最及时的进行反应,减少项目方和用户的损失。
How can the project side defend itself at the defensive end? Security incidents like re-attacks must occur again, so, in addition to the efforts that we need to make at both ends of the offensive, the project side needs to be prepared to respond in the most timely manner in case of hacking, reducing the loss to the project side and users.
Vyper贡献者也建议,对于 Vyper 此类公共产品我们应该加强公众激励,寻找关键漏洞。OKLink呼吁应该尽早建立起一套安全响应标准,让黑/灰地址的资金追踪变得更加容易。
Vyper contributors have also suggested that we should increase public incentives for Vyper’s public products and look for key loopholes. OKLink calls for an early set of safety response standards to make it easier to trace funds at black/hack addresses.
正如 OKLink 产品在此类事件中的攻防两端起到防范黑客和追查资金的作用,项目方在搭建平台的安全模块时应考虑第三方技术服务商可以带来的额外价值,更快更好的筑起项目的安全堡垒。
Just as the prevention of OKLink products at both ends of such incidents acts as a shield against hacking and financial tracking, the project party should take into account the added value that third-party technical service providers can bring when building the platform's security module, and build the project's security forts faster and better.
总的来说,欧科云链等安全公司的出现,代表区块链安全行业为执法机构提供了数智化侦破案件服务工具和应对新型技术犯罪的全流程的解决方案,相信未来,欧科云链等企业还将以技术赋能行业健康发展,为链上安全保驾护航。
In general, the emergence of security companies such as the Ocowin chain, representing the block chain security industry, has provided law enforcement agencies with a number of tools for intelligence-based case detection services and a full-process solution to new technological crimes, and it is believed that in the future, enterprises such as the Ocowin chain will also provide security for the chain with the healthy development of the technology-enabling industry.
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论