16万美元资产被盗竟是乌龙事件? | Yeld.finance“闪电贷攻击”事件
- 成都链安
- 发布于 2021-03-01 11:47
- 阅读 3393
16万美元资产被盗?虚惊一场!
一、事件概览
北京时间2021年2月27日,【链必安-区块链安全态势感知平台(Beosin-OSINT)】舆情监测到,DeFi知名项目Yeld.finance官方发出通告,表示该项目的DAI池遭受到闪电贷攻击,原文链接如下: <u style="text-decoration: none; border-bottom: 1px dashed grey;"><a href="https://link.zhihu.com/?target=https%3A//yeldf.medium.com/the-yeld-dai-earn-vault-has-been-hacked-93f27d475b1b" class=" external" target="_blank" rel="nofollow noreferrer" data-za-detail-view-id="1043" style="color: inherit; text-decoration: none; cursor: pointer; border-bottom: 1px solid grey;"><span class="invisible" style="font: 0px / 0 a; color: transparent; text-shadow: none; background-color: transparent;">https://</span><span class="visible">yeldf.medium.com/the-ye</span><span class="invisible" style="font: 0px / 0 a; color: transparent; text-shadow: none; background-color: transparent;">ld-dai-earn-vault-has-been-hacked-93f27d475b1b</span><span class="ellipsis"></span></a></u>
成都链安(Beosin)安全团队第一时间介入响应,对原文中所提及的交易(0x57b378f8d20d3945ab40cd62aa24063f375bcfc5693c2e788dc193ffa1a5cc3a)进行分析。经分析后发现,该笔交易为Yeld.finance项目自身的策略机制而导致的资金转移,与闪电贷攻击无关。闪电贷攻击表示不背这个锅。
二、事件分析
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic3.zhimg.com/80/v2-84d998e3b8df015bd394628ee23191aa_720w.jpg" data-caption="" data-size="normal" data-rawwidth="1269" data-rawheight="1010" class="origin_image zh-lightbox-thumb lazy" width="1269" data-original="https://pic3.zhimg.com/v2-84d998e3b8df015bd394628ee23191aa_r.jpg" data-actualsrc="https://pic3.zhimg.com/v2-84d998e3b8df015bd394628ee23191aa_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图1 交易信息
如图1所示,该笔交易是名为0xf0f225e0的用户,调用了0xe780cab7ca8014543f194fc431e6bf7dc5c16762合约的deposit函数。经确认,0xef80cab7合约正是项目方的DAI池。该笔交易一共产生了6笔代币转移,分别用T1到T6表示。那么,这些代币转移究竟是什么操作导致的呢?下面通过代码进行分析:
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic1.zhimg.com/80/v2-bce3e13087aa423b83f112d59f9e6190_720w.jpg" data-caption="" data-size="normal" data-rawwidth="940" data-rawheight="659" class="origin_image zh-lightbox-thumb lazy" width="940" data-original="https://pic1.zhimg.com/v2-bce3e13087aa423b83f112d59f9e6190_r.jpg" data-actualsrc="https://pic1.zhimg.com/v2-bce3e13087aa423b83f112d59f9e6190_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图2 deposit函数源代码
很明显,第538行代码,产生导致了序号为T1的代币转移,将token(即DAI)转移到yDAI合约。这是一笔普通的代币转账,表示用户存入了9,377 DAI到yDAI合约。
第541-553行代码,是yDAI合约用于计算用户存入的DAI应返回给用户多少yDAI,并在第554行进行铸币,对应序号为T2的代币转账,表示yDAI合约向用户铸了9,306 yDAI。
然后进入第555行的rebalance函数,分析该函数的逻辑。
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic4.zhimg.com/80/v2-8546a022e52707663e972b0570663cc3_720w.jpg" data-caption="" data-size="normal" data-rawwidth="675" data-rawheight="440" class="origin_image zh-lightbox-thumb lazy" width="675" data-original="https://pic4.zhimg.com/v2-8546a022e52707663e972b0570663cc3_r.jpg" data-actualsrc="https://pic4.zhimg.com/v2-8546a022e52707663e972b0570663cc3_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图3 rebalance函数源码
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic3.zhimg.com/80/v2-5a16c1bba58fe3c08e08913beb93ec32_720w.jpg" data-caption="" data-size="normal" data-rawwidth="1196" data-rawheight="684" class="origin_image zh-lightbox-thumb lazy" width="1196" data-original="https://pic3.zhimg.com/v2-5a16c1bba58fe3c08e08913beb93ec32_r.jpg" data-actualsrc="https://pic3.zhimg.com/v2-5a16c1bba58fe3c08e08913beb93ec32_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图4 recommend函数
第732行代码会计算newProvider,该函数会调用recommend函数(如图4所示),recommend函数会调用IEarnAPRWithPool合约查询4个Defi项目DYDX,COMPOUND,AAVE,FULCRUM中,年利率(APR)最高的项目,查询结果如图5所示:
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic3.zhimg.com/80/v2-beead97f2376717d53a947c876558f8a_720w.jpg" data-caption="" data-size="normal" data-rawwidth="1113" data-rawheight="448" class="origin_image zh-lightbox-thumb lazy" width="1113" data-original="https://pic3.zhimg.com/v2-beead97f2376717d53a947c876558f8a_r.jpg" data-actualsrc="https://pic3.zhimg.com/v2-beead97f2376717d53a947c876558f8a_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图5 recommend查询结果
其中dYdX池的APR最高,newProvider被设置为dYdX池。当前池为AAVE池,进入736行的if代码块,调用内部函数_withdrawAll。
<figure data-size="normal" style="margin: 1.4em 0px; color: rgb(18, 18, 18); font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Microsoft YaHei", "Source Han Sans SC", "Noto Sans CJK SC", "WenQuanYi Micro Hei", sans-serif; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><img src="https://pic4.zhimg.com/80/v2-71e4678ebc85355956d9302af98495e3_720w.jpg" data-caption="" data-size="normal" data-rawwidth="779" data-rawheight="657" class="origin_image zh-lightbox-thumb lazy" width="779" data-original="https://pic4.zhimg.com/v2-71e4678ebc85355956d9302af98495e3_r.jpg" data-actualsrc="https://pic4.zhimg.com/v2-71e4678ebc85355956d9302af98495e3_b.jpg" data-lazy-status="ok" style="display: block; max-width: 100%; margin: 0px auto; cursor: zoom-in; background-color: transparent; animation: 0.5s ease-in 0s 1 normal none running fxRichTextFadeIn;"/></figure>
图6 _withdrawAll函数源代码
第778行代码将会提出AAVE池中的所有DAI,产生了序号为T3-T5的代币转移,具体代码可参考AAVE(0xfC1E690f61EFd961294b3e1Ce3313fBD8aa4f85d)合约redeem函数相关代码,此处不再详述。
最后是第741行代码,将从AAVE中提出的16.6余万枚DAI存入dYdX合约,产生了序号为T6的代币转移,即将16.6万枚DAI存入dYdX池。
整个交易就此结束,可以看到,这次所谓的“闪电贷攻击”只是虚惊一场。用户只是单纯的存入了一笔DAI,然后刚好触发了Yeld.finance项目的策略机制,并不是所谓的“闪电贷攻击”,可谓是闹了场乌龙事件。值得注意的是,dYdX在该事件中充当了一个“良心商家”的角色,并不是以往闪电贷攻击中的帮凶。
三、安全建议
尽管本次事件经成都链安(Beosin)安全团队分析后被判断为虚假一场,但在这里还是有必要提醒各项目方,依然需要在日常的安全防护工作中,对闪电贷攻击加以预警和防范。
同时,作为致力于区块链生态安全建设的成都链安(Beosin)也在此建议,项目方的安全预警机制和安全加固工作切不可等闲视之。寻求第三方安全公司的力量,搭建覆盖全生命周期的一站式安全解决方案方为万全之策。
