事件描述:在停止 Flux 挖矿切换到 ZO 挖矿后,即1月14日后任意钱包在 Flux 协议中进行首次存借操作后,点击 【Claim Flux】按钮将能够领取到 FLUX。存借越多,领取的 Flux 越多。有黑客发现此漏洞,于23日开始使用脚本攻击,至2.1日修复前,共计损失1713589.56枚FLUX Token。
事件影响:变相增发通证Token,
改进方案:后续涉及重大变革和升级维护,除内部测试外,同时邀请社区广泛参与测试,减少失误,同时设立明晰的漏洞发现激励措施。
解决方案:团队有想法销毁同等额度的团队份额中Token,最终处理方式将与社区充分讨论。
说明:Flux已经成熟运行1年之久,存借合约没有任何安全事故,ZO Token合约没有任何安全问题。
详细报告:https://drive.google.com/file/d/1ZcSaQZ9EMP-3kRaJ7Hx6ISMvD6UP8gZ4/view?usp=sharing
Event description: after stopping flux mining and switching to Zo mining, that is, after January 14, any wallet will be able to receive flux by clicking the [claim flux] button after the first deposit and lending operation in the flux agreement. The more you deposit and borrow, the more flux you receive. Hackers found this vulnerability and began to use script attacks on the 23rd. A total of 1713589.56 flux tokens were lost before they were repaired on the 2nd and 1st.
Impact of the event: issuing additional token in disguised form,
Improvement plan: the follow-up involves major changes and upgrading maintenance. In addition to internal testing, the community is invited to participate in the testing widely to reduce errors, and clear incentive measures for vulnerability discovery are set up.
Solution: the team has the idea to destroy the token in the team share of the same amount, and the final treatment method will be fully discussed with the community.
Note: flux has been in mature operation for one year. There are no safety accidents in the deposit and loan contract and no safety problems in the ZO token contract.
https://drive.google.com/file/d/1ZcSaQZ9EMP-3kRaJ7Hx6ISMvD6UP8gZ4/view?usp=sharing