分析:ZetaChain 漏洞曾被白帽提前报告但遭忽视,最终导致 33.4 万美元攻击事件
ChainCatcher 消息,据 Cointelegraph 报道,跨链协议 ZetaChain 披露,其近期约 33.4 万美元漏洞攻击事件所涉及的安全问题,曾在漏洞赏金计划中被研究员提前报告,但当时被项目方视为“预期行为”而未处理。
根据官方发布的事故复盘,本次攻击源于三个原本看似独立、风险较低的设计缺陷组合:Gateway 合约允许任何人发送任意跨链指令;接收端几乎可对任意合约执行调用,且黑名单限制过于狭窄;部分钱包长期保留无限授权(Unlimited Approval)未被清理。攻击者最终通过组合这些缺陷,指示 Gateway 将代币直接转入其控制地址,从而完成资产转移。
ZetaChain 表示,此次攻击共涉及 Ethereum、Arbitrum、Base 与 BSC 四条链上的 9 笔交易,被盗资金均来自 ZetaChain 控制的钱包,用户资金未受影响。官方称,该攻击具有明显预谋性。攻击者在作案前三天便通过 Tornado Cash 为钱包注资,并提前部署专用 Drainer 合约,同时还实施了地址污染(Address Poisoning)攻击。
目前,ZetaChain 已开始向主网节点推送修复补丁,永久禁用任意调用(arbitrary call)功能,并将存款流程中的无限授权机制改为“精确额度授权”。
Disclaimer: OKX Orbit content is provided for informational purposes only. Learn more
Replies
Related Flash News
ChainCatcher•14d agoZetaChain: Previously targeted attacks did not affect user funds, mainnet patches have been deployed
TechFlow•15d agoZetaChain:GatewayEVM 合约遭攻击,已暂停跨链交易
PANews•44d agoData: Tokens such as SUI, EIGEN, OPN and other tokens will be unlocked in large amounts next week, of which SUI unlocks are worth about $37.2 million
Blockbeats•76d agoJane Street has participated in several crypto infrastructure projects and holds a large stake in crypto mining companies
Odaily•95d agoCoinbase announced that it will suspend trading of perpetual contracts for multiple tokens such as EDGE and FLOW
PANews•97d agoZetaChain launches TwoThumbs to enable AI chat via iMessage and SMS
PANews•104d agoTo create a cross-AI large model "privacy memory layer", ZetaChain brings the multi-model aggregation application Anuma to shape a new AI experience
Odaily•105d agoZetaChain 2.0 is officially launched, and Anuma creates a new platform for AI × privacy
ChainCatcher•139d agoRootData: ZETA will unlock approximately $3.02 million worth of tokens in a week
ChainCatcher•169d agoZetaChain has released a new version of ZetaClient upgrade to improve capital efficiency and experience