Munchables 黑客行为比看起来更糟糕

3 月 26 日星期二，基于以太坊的 NFT 项目 Munchables 报告称，一次黑客攻击导致其金库流失了超过 17,400 ETH（约 6300 万美元）。

经过五个小时的调查，很明显袭击来自房屋内部：一名化名“Werewolves0943”的受雇开发商耗尽了资金。

内部人士窃取项目资金在加密货币领域很常见，以至于“拉扯”一词是常见的说法——但这种情况的独特之处在于，雇佣的人员据称与朝鲜有联系。

这是 Node 时事通讯的摘录，该时事通讯是 CoinDesk 及其他领域最关键的加密货币新闻的每日综述。

您可以在此处订阅以获取完整的新闻通讯。

经过 Munchables 与独立区块链调查员 ZachXBT 和安全公司 PeckShield 领导的一个小时的谈判后，Werewolves0943 被说服归还所有资金。

“Munchables 开发者已共享所有涉及的私钥，以协助追回用户资金。

具体来说，持有 62,535,441.24 美元的密钥、持有 73 WETH 的密钥以及包含其余资金的所有者密钥，”Munchables 团队于世界标准时间凌晨 4:40 发布消息。

虽然这似乎是对价值相对较低的黑客的一个足够令人高兴的解决方案，但 Munchables 漏洞可能会给加密行业带来一长串的不良后果。

最重要的是，虽然尚未证实朝鲜确实参与了这次袭击，但许多人愿意从表面上接受这一事实，这有助于进一步推动一种危险的说法，即加密货币正在帮助侵蚀国防和安全。支持恐怖组织。

链上分析公司 Chainaanalysis 收集的 2016 年至 2023 年数据显示，朝鲜仅在去年就入侵了至少 20 个加密平台，窃取了价值略高于 10 亿美元的资产。

TRM 实验室的另一份报告在很大程度上证实了这些发现。

Chainaanalysis 在报告中表示：“过去几年，与朝鲜有关的黑客攻击不断增加，Kimsuky 和 ​​Lazarus Group 等网络间谍组织利用各种恶意手段获取大量加密资产。”

早期研究发现，与朝鲜有关的黑客正在利用价值数十亿美元的被盗加密战利品来资助隐士王国的核武器计划。

这些攻击是美国财政部采取前所未有的行动制裁 Tornado Cash 加密货币混合器智能合约的重要原因，也是马萨诸塞州民主党参议员伊丽莎白·沃伦 (Elizabeth Warren) 真诚地将加密货币称为“国家安全风险”的重要原因。

“Real talk: the greatest policy threat to crypto by far is the allegation that North Korea funds its missile program by hacking smart contracts,” Variant Fund CEO Jake Chervinsky wrote on X. If crypto is banned, “It will be caused by an increasingly common view among anti-crypto policymakers that crypto doesn't have a use case other than gambling and crime, and that the risk of allowing crypto to continue to exist far outweighs the potential benefits that blockchain developers have promised but not delivered for years.”

The Munchables attack only adds to this image. In fact, it’s slightly worse in that this wasn’t an outside actor exploiting poorly written code, but a complete failure of due diligence on part of a multi-million dollar blockchain project when hiring developers. It puts a whole new spin on the idea of “social engineering” when apparent threat actors can not only manipulate an insider for critical information, but be paid to be on the inside.

According to Ethereum developer 0xQuit, the Munchables attack had been planned from the outset. The attacker was able to upgrade the “lock contract,” meant to keep the project’s funds under lock and key for a specific period of time, so he could “assign himself a deposited balance of 1,000,000 ether” while also hiding evidence of the changes, 0xQuit claimed.

See also: Calling a Hack an Exploit Minimizes Human Error | Opinion

Of course, this isn’t an issue for the crypto industry alone: For years, the Federal Bureau of Investigations and Republic of Korea have been issuing warnings as to North Korean “tradecraft” of exploiters gaining access to key infrastructure through employment. “The hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences,” the agencies wrote in a recent public service announcement.

Roll back

Apart from the embarrassment of having at least one North Korean hacker working on the inside of projects they intend to rob, the crypto community’s response to the Munchables attack also laid bare exactly how vulnerable these systems are. For instance, several people on Crypto Twitter suggested that, because Munichables was on the controversial Blast blockchain, which is maintained essentially by a simple multi-sig wallet, that the Blast team could intervene by rolling back the chain to recover the stolen funds.

“While I’m strongly against this action on any other chain, I don’t take Blast as a brand of ‘serious decentralization chain’ but instead as a place for games, experiments, degenry, etc.,” Adam Cochran, an influential voice in Ethereum circles and Cinneamhain Ventures partner, said in support of the potential rollback.

If you can roll back a chain in order to return money, you roll it back. Then you keep rolling. You roll it all the way back to a point before blockchains, a simpler time, a time of human prosperity. Please just roll back all the blockchains.

— 格沃特 (@GwartyGwart) 2024 年 3 月 27 日

毫无疑问，Blast 是一个有争议的网络——一个在没有原型的情况下就筹集了超过 10 亿美元的网络——但它与其他 OP Stack 第 2 层的构建方式没有什么不同。

例如，在 Eric Wall 提醒他的追随者 Blast 和 Coinbase 的 Base 网络本质上运行相同的代码库之后，Base 的主要开发人员 Jesse Pollack 在推特上表示 Base 的“密钥不受任何一方或实体控制”。

相反，Base 由 2/2 多重签名钱包控制，理论上，如果双方同意，该钱包也可以回滚链。

另请参阅：6 亿美元的 Poly Heist 表明 DeFi 需要黑客才能变得不可破解 |

观点

目前，即使开发这些解决方案的团队通常遵循无许可访问和不审查用户的原则，但以太坊扩展解决方案还没有真正像人们所理解的那样“去中心化”。

正如切尔文斯基指出的那样，从某种意义上说，许多“了解中心化技术和去中心化技术之间的区别”的政策制定者会选择前者，因为这意味着创始人仍然可以控制链上发生的事情。

“但最终，行业建筑商有责任做得更好，”他补充道。

标签：黑客