a
Synthetix 是一個DeFi合成資產的 protocol,允許用戶 mint 和交易各種與現實世界資產(RWA)掛鉤的合成代幣 (Synth)
整個系統的合成資產價格來自於預言機 (Oracle) 提供的外部資料,例如匯率、商品或加密貨幣的價格。
https://kermankohli.substack.com/p/defi-audit-1-synthetix
https://medium.com/cortexlabs/defi科普系列之-三-深入理解synthetix如何玩转合成资产-47c4f585563e
Synthetix在2019 年中發生了一次 Oracle 報價錯誤,大致可以歸因於
sKRW
price feed出現了價格錯誤此次價格錯誤讓sKRW/sETH
的匯率從 360,000 sKRW:1 sETH
-> 變成了高價 720 sKRW:1 sETH
導致持有sKRW
的套利機器人帳戶的明面資產被膨脹
攻擊者隨後將"被通膨"的sKRW
轉換成 sETH
實現套利
Two API’s had different independent outages simultaneously, and our error handling and aggregation logic failed to handle this.
The pricing error was intermittently setting the rate for KRW to 1000x more than it actually was.
https://blog.synthetix.io/response-to-oracle-incident/
攻擊流程相對簡單,攻擊者(套利機器人)只是在對的時間點實行exchange
function進行兌換
https://etherscan.io/tx/0x93819f6bbea390d7709fa033f5733d16418674e99c43b9ed23adb4110d657f0c
此次事件,攻擊者同意reserve這筆交易以換取bounty
We have since been in contact with the owner of the bot, who has agreed to reverse the trades in exchange for a bug bounty.
文中Synthetix提及將Oracle換成Chainlink,但也建議增加下列defense
Bedrock is a multiple asset liquid restaking protocol, that backed by non-custodial solution designed in partnership with RockX, a longstanding blockchain infrastructure company with strong roots in crypto staking.
Bedrock support multiple assets to do both restaking / staking including:
The cause of this vulnerability is that the exchange ratio of WETH and uniBTC was not properly handled, resulting in WETH and uniBTC being exchanged at 1:1, and the value of WETH was magnified tens of thousands of times. The attacker used the distorted price to make a profit through lending, and eventually the attacker used the borrowed WETH to empty the project’s uniBTC tokens.
For contracts that control the minting or holding of tokens, even a minor error can result in significant security vulnerabilities. Therefore, conducting a security audit before deploying contracts in the production environment is critically important.
or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing