2022年6月24日,由Layer1公链Harmony开发的,以太坊与Harmony间的资产跨链桥Horizon遭到攻击,损失金额约为1亿美元。
On 24 June 2022, the bridge across the chain between the Ethio and Harmony assets, developed by Harmony of the Layer 1 public chain, was attacked in the amount of approximately $100 million.
这到底是怎么回事?
What the hell is going on?
虽然黑客攻击发生的当天就能断定属于“公证人私钥被盗”,既然贵客点开,不妨来展开聊聊,放心,有少数硬核源码但全篇讲白话,通俗易懂!
Although the hacker attack was determined to be a “notary's stolen private key” on the very day of the attack, since you've opened it, you should come and talk about it. Rest assured, there are a few hard-core sources, but the whole story is plain and easy to understand!
- 跨链桥分类与技术原理
- Horizon合约审计报告解读
- 被盗原因复盘分析与总结
1、跨链桥技术原理
1, Technical principles of cross-linkage
跨链,顾名思义是不同区块链之间资产信息如何转移的问题,也称之为互操作性,而目前有超50种跨链解决方案,其方案定义是多种多样的。
Cross-linkages, which by definition are the transfer of asset information between blocks, are also referred to as interoperability, and there are now more than 50 cross-chain solutions with a variety of programmatic definitions.
《来自iosg-跨链桥方案一览,谁能汇聚多链流动性》
1.1、跨链方案有哪些?
1.1 What are the cross-chain programmes?
概括来讲,要实现资产价值在另一条链上恒定,有两种大路径按”价格”锚定和按”物理”锚定
In summary, there are two major paths that are “price” anchoring and “physical” anchoring in order to achieve constant asset value over another chain.
乍一听复杂,其实按价格锚定就是在各公链上的USDT这种稳定币,他与美元1:1锚定,因此也属于跨链资产的一种。
At first hearing it was complicated that price anchoring was a stable currency, USDT, on the public chain, and he was anchored with the dollar at 1:1 and therefore also a cross-chain asset.
抛开各类稳定币更直观一种跨链方案则是物理锚定,即流动性总量是恒定的,其方案也很多(公证人、侧链、中继链、哈希锁定等),咱们重点讲公证人模式。
A more intuitive cross-chain approach to the various stable currencies is a physical anchor, i.e. the total amount of liquidity is constant and its programmes are numerous (notaries, side chains, relay chains, Hash locking, etc.), and we focus on the notary model.
公证人模式依据”公证人是谁“有三种区分:
The Notary Model is based on "who the Notary is." There are three distinctions:
- 交易所做担保型:比如币安提币,各种买卖均在中心化交易所进行,提币才兑现
- 流动性池桥接型:比如bridge.connext,o3swap
- 合约锁定铸造型:各类官方桥通用方案polygon/arbitrum/avax/celer,以及今天的主角harmony
锁定铸造型由于产生的是包装代币,因此往往是各公链具有一定公信力的官方桥才采用。
The locking of castings is often used on official bridges with certain credibility in public chains because of the fact that they produce packing tokens.
以上均各有优缺,或是怕交易所跑路,或是流动性枯竭,或是公证人私钥被盗,目前并没有完美实现不可能三角的跨链方案出现。
Each of the above has its advantages, either in fear of an exchange running, or in the drying up of liquidity, or in the theft of the private key of a notary, and there is currently no perfect triangular cross-linkage solution.
如下图是o3swap的流动性总量和交易量趋势,近半年已然跌去90%,或许是因为去年8月的质押资产被盗案导致不断式微吧。
The figure below shows the trend in the total liquidity and volume of transactions of o3swap, which has fallen by 90 per cent in the last six months, perhaps because of the constant marginality of the theft of pledged assets in August last year.
《流动性总量与交易量,来自o3swap官网》
1.2、Horizon桥的跨链原理
1.2. Cross-link principle of the Horizon Bridge
Harmony开发的Horizon桥是非常标准的公证人锁定铸造型。
Harmony developed the Horizon Bridge, which is a very standard notary lock-in.
为何锁定铸造可以被信任呢?
Why is it that locking in casting can be trusted?
是由于区块链上的合约具有不可更改特性,如果不留后门的话,甚至一旦部署将无任何方式可以影响他的运作,正如无聊猿官方自己将所有权限转入0地址,放弃所有权后,无任何方式可以进一步铸造出新的猴子,其流动性总量将被锁死。
Because of the immutable nature of the contracts on the block chain and the fact that there would be no way to affect his operations even once deployed if the back door was not left, just as the boring ape official himself transferred all his privileges to a zero address and relinquished ownership, there would be no further way to forge a new monkey, and its total liquidity would be locked to death.
同理的,不同公链之间虽然合约不同,但如果在以太坊上用合约锁住10个ETH,在另一条公链上也以同样有公信力的合约,来释放10个wETH,这样一来其实全局上流动性是固定的,只要wETH可以随时转回以太坊并兑换得到ETH,那wETH就可以被认为是具有了ETH的等同价值。
By the same token, although different contracts exist between different public chains, if 10 ETHs are locked in a contract in Etheria and 10 wETHs are released in another chain with the same credibility, then the overall liquidity is fixed, so long as weths can be transferred back to Ether at any time and ETH can be exchanged, the weths can be considered to have the same value as ETHs.
因此其核心的操作就是
So the core of its operation is...
- Lock-and-Mint:A链锁定代币流动性 + B链发行等量的可流通包装代币
- Burn-and-Release:B链销毁包装代币 + A链解锁等量基础代币的流动性
- 公证人:负责发现A链Lock锁定事件后,去B链Mint铸造出锚定代币,转入目标地址。
【Horizon桥的流程示意图,来自官方github】
有锁定自然衡量各个跨链桥规模的最佳方式就是TVL(总价值锁定),可以显著看到6.24之后,Horizon的TVL瞬间跌入谷底,当安全事故来临再多的TVL也就如流水一般,蜂拥而至也一哄而散。
The best way to measure the scale of the various cross-chain bridges by locking in nature is TVL (total value lock), after which 6.24 can be seen to be visible, the TVL of Horizon fell into the bottom of the valley in an instant, and when more security accidents occur, the TVL is like running water, swarms and swarms.
【Horizon链桥TVL图,来自dune】
2、Horizon桥的合约审计报告解读
2, Contract Audit Report at Horizon Bridge read
一次事故对很多Web3项目而言,做不到100%安全就基本等于0的价值,因此为了检查合约的安全性,一般会测试模拟多种攻击场景,通过checklist进行安全审查,以确保合约安全
For many Web3 projects, failure to achieve 100 per cent safety is essentially equal to zero, so to check the safety of the contract, multiple attack scenarios are generally tested and security checks are conducted through the Checklist to ensure contract safety
开发或许几天而已,但要足够可靠则流程多且昂贵(一般报价按时间衡量10W刀起步)
Development may only take a few days, but to be reliable, it's more process-intensive and expensive. (General offer starts with 10W in time.)
审计报告的核心信息是:风险名称、漏洞描述、风险等级、安全建议、修复状态及审计结果等
Core information for audit reports is: risk name, gap description, risk level, security recommendation, restoration status and audit results, etc.
而Horizon桥的合约审计报告是老牌审计公司PeckShield进行的,发现了5个漏洞风险
The contract audit report for the Horizon Bridge was conducted by the old audit firm PeckShield, which identified five gaps in risk.
是不是很难想象区区3行代码都能有bug?
Isn't it hard to imagine three lines of code with bugs?
其实锁定token的逻辑很简单,就是用户制定金额和目标地址,在授权代扣权限后,合约将USDT转入此合约锁定,并发出一个locked事件,让链下的公证人可以得知资产已经被锁定了。
In fact, the logic of locking totoken is simple: the user sets the amount and the target address, and the contract, after authorizing the deduction, locks the USDT into the contract and sends out a locked event so that the notary in the chain can know that the assets have been locked.
但PeckShield审计发现LockToken锁定函数对通缩型token是不兼容的,用户传入的amount如果是100,自然Locked事件发出的是成功锁定100个
But the PeckShield audit found that the LockToken locking function was incompatible with the deflationary token, and if the user passed on amount, the natural Locked event sent a successful lock of 100.
但是如果是”通缩型“的token呢?进行safeTransferFrom 的过程中amount变少了怎么办?这就会出现锁仓额低于B链释放额的风险
But what if it's token? What if there's less amount in the safeTransferFrom? There is a risk that locks are below the B chain release.
可看前文:【源码解读】你买的NFT到底是什么?
See previous text: 标准协议中都会以虚函数为钩子的方法,在转移前后增加逻辑,有些token则可能在这里_beforeTokenTransfer增加交易损耗,从而控制流通量实现通缩。 The standard protocol uses a false function as a hook, adds logic to the transfer before and after, and some tokens may increase transaction losses here _beforeTokenTransfer, thereby controlling deflation in circulation. 当然harmony最后肯定是修改优化了,采用转移前后两次读取balance的方法来算出实际锁定额。 Of course, Harmony eventually modified and optimized, using two readings of Balance before and after the transfer to calculate the actual lock. 还是这段代码,是不是很难想象区区3行代码不仅有BUG,而且有2个! It's still the code. It's hard to imagine a three-line code with not only BUG, but also two! 可看前文:【源码解读】你买的NFT到底是什么? See previous text: 为了安全的Mint,其实标准协议是禁止向0地址mint的,如果lockToken 的时候目的转入地址recipient 填写为0地址,则会B链上铸造失败,造成锁入此合约但无跨链效果,如果此金库合约没有预留合适的转出方法则会永久锁定。 For the sake of secure Mint, the standard agreement is in fact prohibited to 0 addressmint, and if the object of the change to the address is entered as 0 address at the time of the LockToken, it will fail in the casting on the B chain, resulting in locking in the contract without a cross-chain effect, and permanent locking if the deposit contract does not provide for a suitable transfer method. 2.3、高风险点 2.3, high-risk points 铸造解锁等函数的调用者为单签账户 The caller for a function such as casting unlocks is a single-sign account 在原先程序里,Mint铸造资产unlock解锁释放,都是只能指定公证人进行。 In the original procedure, Mint forged assets unlock unlocked and released only by nominee. 这也正是本次中招的原因,harmony是最终将公证人改了多签钱包,但只不过只改成3个,其中2个私钥被盗就可以横行无忌。 That is why this is the case. Harmony eventually changed the notary's multiple wallets, but only three, of which two private keys can be stolen without fear. 怎么说呢,你说他改了吧总觉得有些敷衍,甚至黑客盗出资产的时候,harmony桥依旧在运作中,意味着他的私钥甚至是明文保存被黑客拷贝走的。 In any case, when you say he's changed, it's like he's a little tricky, even when hackers steal assets, the Harmony Bridge is still in operation, meaning that his private key is even explicitly preserved and copied by hackers. 通过合约审计报告的解读可以发现,原来跨链公证人的权限如此之大,只有他可以进行铸造和释放,而黑客事件发生的时候,看他交易操作就能分辨出来被盗原因 A reading of the contract audit report shows that the authority of the cross-link notary was so great that only he could cast and release, and that when the hackers were involved, he could tell the cause of the theft. 区块链浏览器使用指南见:当我们在看Etherscan的时候,到底在看什么? See: when we see what is happening in Escan? 3.1、关键信息 3.1, Key Information 攻击者钱包 Attacker's wallet. 跨链桥相关地址 Cross-link bridge related address 盗取13100个Ether,详情见交易Link(附录引用) Theft of 13,100 Ether, details of which can be found in the transaction Link (appendix quoted) 执行的是确认某个交易ID(多签投票中的一环) The execution is the confirmation of a transaction ID. 公证人确认->等待确认的公证人数量达标->解锁金库资产转入目标地址 Notaries confirm - >The number of notaries awaiting confirmation meets - > Unlocking Treasury assets to target address 在多签合约合约代码里逻辑可以看出,这个函数会进行notConfirmed 判断,因此只有系统之前设置过的公证人地址可以调用 Logically, in the multi-contract contract code, this function makes notConfirmed judgement, so only the notary address that was set up before the system can be called. 后续会执行executeTransaction 方法,再调用 isConfirmed 方法做判断,如果认证这笔交易的管理员数量达到2位,就会内部调用EthManager 合约的 unlockEth 方法,最终将 ETH发送至攻击者钱包。 The follow-up will implement the execcuteTransaaction method and then call the isConfilmed method to judge that if the number of managers certifying the transaction reaches two, the nonlockEth method of the EthManager contract will be used internally and ETH will eventually be sent to the aggressor wallet. 至此很明显,除了私钥被盗,如此简单明了的合约不会有什么特别的犯错可能性了。 So it is clear that, apart from the theft of the private key, there is no particular possibility of error in such a simple contract. 顺道看了下现在跨链桥的ETH金库的余额还有94个Eth,ERC20的金库还有30W刀的各类代币 By the way, there's 94 Eths in the ETH vault and 30W in the ERC20 vault. 4、思考总结 4, reflection summary 虽然马上harmony开出了100W美金,提出黑客归还资产并承诺不追究责任,但即使黑客归还且官方不追究也会有其他社会团队做公诉,因此黑客的最佳路线只有想尽一切办法为被盗资产脱敏。 Although Harmony immediately released $100W to bring the hackers back their assets and promised no accountability, even if the hackers returned and the authorities did not prosecute other social groups, the best route for hackers was to do everything possible to de-escalate the stolen assets. 截至 6 月 29 日,攻击者已将大约 35,000 个以太坊(约合 3900 万美元)转移到 Tornado Cash,这是一种常见的混币器,虽然区块链是账本公开,任何交易均可被追踪,但是混币器犹如为100个人集合交易,并不能准确得出哪笔资金最终落到哪个人手里。 As of June 29, the attackers had transferred some 35,000 Ethers (approximately US$ 390 million) to Tornado Cash, a common monetizer, which, although the chain of blocks is open and any transaction can be traced, as if it were a 100-person pool, does not accurately determine which funds end up in the hands of whom. harmony对多签的实现是每笔投票均上链,或许是出于成本的考虑所以他的公证人只有3位,当初的降本优化造成了满盘皆输 Harmony's oversigning is a chain-up of every vote, and perhaps because of cost considerations, he has only three notaries. 要优化可采用分布式托管的方法,托管给MPC (Multi-Party Computation)公证人网络,不超过一定比例的节点同时作恶即可保证安全 To optimize the use of distributed hosting, hosting of the MPC (Multi-Party Commission) notary network, with no more than a percentage of nodes involved in simultaneous malfeasance, would guarantee security. 即使公证人稀少也可以参考雪崩桥采用的SGX可信计算技术 Even if notaries are scarce, we can refer to the SGX Credible Calculus technique used at the Avalanche Bridge. 本质上还是对安全重要性的淡漠,在跨链桥的开源代码中写的执行计划,2年前就实现了可用的链桥,却迟迟不进一步优化。 The implementation plan, written in the open source code for cross-chain bridges, is still inherently indifferent to the importance of security. Two years ago, the available link bridge was achieved, but it was delayed in its further optimization. 引用: Quote: iosg-跨链桥方案一览,谁能汇聚多链流动性 iosg- cross-chain bridge programme at Horizon桥官方GIT:https://github.com/harmony-one/ethhmy-bridge Horizon链桥TVL图:https://dune.com/queries/118245 盗取交易Link: Stolen transaction Link: https://etherscan.io/tx/0x27981c7289c372e601c9475e5b5466310be18ed10b59d1ac840145f6e7804c97 《PeckShield对Horizon桥的审计报告》 Report of PeckShield on the audit of the Horizon Bridge https://docs.harmony.one/home/general/bridges/horizon-bridge/audit 《Avalanche Bridge:用英特尔SGX保护跨链资产》 Avalanche Bridge: Protecting Cross Chain Assets with IntelSGX
《PeckShield对Horizon桥的审计报告》
《Avalanche Bridge:用英特尔SGX保护跨链资产》
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论