The attacker took advantage of the loopholes in the data verification link in a contract and stole the user's funds of the authorization contract through malicious data input. The attack brought the biggest loss to an address, with the loss of about $10,000. Background introduction is an interoperability agreement that serves the cross-chain safe and efficient data and asset transmission. The contract is an access point that interacts with all the assets in the liquidity layer, and all the assets bridges are gathered here into a unique meta-bridge according to the users. Preferences, such as cost delay or security, choose the best transaction route. Three days before the hacker attack, the contract administrator executed an order to add a new route to the system. The purpose of adding a route is to expand the function of the gateway, but it inadvertently introduced a key loophole. The following picture shows the record of adding a route through the contract administrator. The summary of the incident is Beijing time. Our time analysis shows that the funds used by the attacker's wallet to transfer to the attack are related to the withdrawal from. These funds were used to create. And two contracts were executed to exploit the vulnerability. The first contract was aimed at the screenshot in the authorized address, and the following victim was defrauded of about ten thousand dollars. Then the second contract targeted the sum in the victim's address, so another victim lost the following assets. The attacker converted the sum into the vulnerability source, and the vulnerability exploited by the attacker existed in the function in the newly added routing address. The original function of the function in the address was to assist the sum, but one appeared in the function. Key vulnerability users directly call external data in without verification, which means that the attacker can execute any malicious function. In this incident, the attacker made a malicious input trigger function, which took advantage of the user's authorization to the contract and stole funds from them. Although the contract will check the balance to ensure that the user's balance will change correctly after the call, this function does not consider the situation that the attacker sets the amount to. Attacking the contract, the attacker used the hex signature to call the vulnerable routing address contract in the contract. In the screenshot below, we can see that the number of false inputs used by the attacker is all for the next call, which was falsely accepted and executed without any verification. The attacker repeatedly executed the above process until the victim ran out of assets and malicious transactions appeared, and quickly called the previously vulnerable route to prevent a wider range of attacks. Recover the pieces and announce on the day that all losses will be fully compensated. This incident has been resolved. It is not uncommon for malicious attacks to be found in routing contracts with unlimited user authorization. Similar attacks in the past included attacks on decentralized exchanges on the day of the month, and losses of more than $10,000. Explorers maliciously entered functions to steal users' assets. On the day of the month, the protocol of the network was attacked. The attacker deployed a false contract and maliciously transferred 10,000 pieces from the victim's contract. Blockchain aggregation platforms usually improve liquidity and reduce losses by encapsulating a series of bridges and routing contracts. However, this complex encapsulation will bring more difficulties to security. We are pleased to see that this incident can be solved and will continue to work hard to provide all-round audit and testing for the platform, reduce various aggregation risks and improve community trust and the security level of the whole industry. 比特币今日价格行情网_okx交易所app_永续合约_比特币怎么买卖交易_虚拟币交易所平台

注册有任何问题请添加 微信：MVIP619 拉你进入群

文章转载注明 网址：https://netpsp.com/?id=61068