分析:ZetaChain 漏洞曾被白帽提前报告但遭忽视,最终导致 33.4 万美元攻击事件
ChainCatcher 消息,据 Cointelegraph 报道,跨链协议 ZetaChain 披露,其近期约 33.4 万美元漏洞攻击事件所涉及的安全问题,曾在漏洞赏金计划中被研究员提前报告,但当时被项目方视为“预期行为”而未处理。
根据官方发布的事故复盘,本次攻击源于三个原本看似独立、风险较低的设计缺陷组合:Gateway 合约允许任何人发送任意跨链指令;接收端几乎可对任意合约执行调用,且黑名单限制过于狭窄;部分钱包长期保留无限授权(Unlimited Approval)未被清理。攻击者最终通过组合这些缺陷,指示 Gateway 将代币直接转入其控制地址,从而完成资产转移。
ZetaChain 表示,此次攻击共涉及 Ethereum、Arbitrum、Base 与 BSC 四条链上的 9 笔交易,被盗资金均来自 ZetaChain 控制的钱包,用户资金未受影响。官方称,该攻击具有明显预谋性。攻击者在作案前三天便通过 Tornado Cash 为钱包注资,并提前部署专用 Drainer 合约,同时还实施了地址污染(Address Poisoning)攻击。
目前,ZetaChain 已开始向主网节点推送修复补丁,永久禁用任意调用(arbitrary call)功能,并将存款流程中的无限授权机制改为“精确额度授权”。
Disclaimer: OKX Orbit content is provided for informational purposes only. Learn more
Replies
Related Flash News
币界网•13h agoGrayscale Research: Improved regulatory transparency will drive blockchain adoption explosions
ChainCatcher•9d agoThe x402 protocol is now live on the Arbitrum network
ChainCatcher•15d agoPredict.fun New "Which blockchain will Polymarket migrate to in 2026?" ",The probability of "new Polymarket chain" is temporarily reported at 67%
TechFlow•17d agoArbitrum DAO unfreezes rsETH event-related ETH votes have reached a quorum
ChainCatcher•22d agoArbitrum DAO has launched a vote to release 30,766 ETH for the aftermath of the Kelp attack
ChainCatcher•23d agoKelpDAO injects 2,000 ETH into the DeFi United Recovery Fund to advance the rsETH recovery plan
TechFlow•24d agoHuobi HTX will list RAIN (Rain) at 8 p.m. today, and will simultaneously add RAIN/USDT (10X) isolated margin trading
ChainCatcher•32d agoAave discloses bad debt data: Depending on different rsETH accounting schemes, there may be two bad debt scenarios: $123.7 million and $230.1 million
ChainCatcher•33d agoData: Most of the crypto market pulled back, but the SocialFi, AI sector, etc. rose slightly
Blockbeats•33d agoAave: rsETH has full collateral support on the mainnet and is still frozen on Aave V3 and V4