Thorswap，Thorchain和Bounties：在Wild West中导航加密安全

深入了解最近的Thorswap和Thorchain事件，探索赏金计划以及对加密安全的更广泛含义。

THORSwap, THORChain, and Bounties: Navigating Crypto Security in the Wild West

Thorswap，Thorchain和Bounties：在Wild West中导航加密安全

The world of decentralized finance (DeFi) moves fast, and recent events surrounding THORSwap, THORChain, and their bounty programs highlight both the promise and the perils of this exciting frontier. With a $1.2 million exploit linked to THORChain's founder, the spotlight is once again on security.

分散财务（DEFI）的世界迅速发展，围绕Thorswap，Thorchain及其赏金计划的最新事件突出了这一令人兴奋的边界的承诺和危险。凭借与Thorchain的创始人相关的120万美元的利用，备受关注的焦点再次成为安全。

The $1.2 Million Incident: A Personal Wallet Breach

这项耗资120万美元的事件：个人钱包违反

Recently, THORSwap issued a bounty offer following a $1.2 million exploit. Initial reports suggested a THORChain protocol vulnerability, but it was later clarified that the attack targeted a personal wallet belonging to THORChain co-founder John-Paul Thorbjornsen.

最近，Thorswap在120万美元的利用后发出了赏金优惠。最初的报告表明，胸链方案脆弱性，但后来澄清说，攻击针对属于Thorchain联合创始人John-Paul Thorbjornsen的个人钱包。

Blockchain security firm PeckShield flagged the incident, which sent ripples through the crypto community. According to on-chain messages, THORSwap offered a reward for the return of the stolen funds, promising no legal action if the assets were returned within 72 hours. The message was simple: “Bounty offer: Return $THOR for reward. Contact @thorswap.finance or THORSwap discord for OTC deal.”

区块链安全公司Peckshield标记了这一事件，该事件通过加密货币社区发动了涟漪。根据链上的消息，ThorsWap为被盗资金的返还提供了奖励，如果在72小时内退还资产，则保证不会采取法律行动。消息很简单：“赏金优惠：返回$ thor以获取奖励。请与 @thorswap.finance或thorswap Discord for OTC Deal。”

Social Engineering and Security Lapses

社会工程和安全失误

The breach appears to have been the result of a sophisticated social engineering attack. Blockchain analyst ZachXBT suggested North Korean hackers were involved, alleging that $1.35 million was stolen from Thorbjornsen’s wallet via a Telegram scam involving a deepfake Zoom call.

违规似乎是复杂的社会工程攻击的结果。区块链分析师Zachxbt建议参与朝鲜黑客，声称135万美元通过Telegram骗局从Thorbjornsen的钱包中被盗，涉及Deepfake Zoom Call。

Thorbjornsen admitted that the MetaMask wallet linked to the attack was unprotected and stored in a logged-out Chrome profile. This contained both staked assets and personal funds. He speculated that 0-day exploits may have been used to access his iCloud Keychain or Chrome profile.

Thorbjornsen承认，与攻击相关的元掩体钱包是没有保护的，并存储在已登录的镀铬轮廓中。这既包含储存资产和个人资金。他推测，可能已使用0天的利用来访问其iCloud钥匙扣或铬配置文件。

THORSwap's Response and Clarification

Thorswap的回应和澄清

THORSwap was quick to clarify that the THORChain protocol itself was not compromised. CEO Paper X stated that the incident was isolated to a user's personal wallet and did not affect the THORChain or THORSwap infrastructure.

Thorswap很快就澄清了胸骨协议本身并未受到损害。 CEO论文X指出，该事件被隔离到用户的个人钱包中，并且不影响Thorchain或Thorswap基础设施。

The focus shifted to recovering the stolen assets, which included $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens. The bounty offer was a proactive attempt to recover the funds without further complications.

重点转移到收回被盗资产的重点，其中包括103万美元的Kyber Network代币和32万美元的Thorswap代币。赏金报价是一种积极的尝试，试图在没有进一步并发症的情况下收回资金。

Recurring Security Concerns with THORChain

胸链反复出现的安全问题

This isn't the first time THORChain has faced security challenges. THORChain has dealt with multiple exploits since 2021, including attacks that drained about $13 million in just a few weeks. There was also the network insolvency announcement earlier this year that revealed a $93 million shortfall and hundreds of millions in debts. These incidents raise questions about the robustness of the platform.

这不是Thorchain第一次面临安全挑战。自2021年以来，Thorchain已经处理了多个漏洞，其中包括在短短几周内耗尽了约1300万美元的袭击。今年早些时候，网络破产公告也揭示了9300万美元的缺口和数亿美元的债务。这些事件提出了有关平台鲁棒性的疑问。

Cross-Chain Swaps and Inherent Risks

跨链掉期和固有风险

Cross-chain swaps, while innovative, introduce inherent security risks. These systems act as bridges between different blockchains, often becoming vulnerable points of attack. The Bybit exploit earlier this year saw roughly $1.2 billion in stolen Ethereum flow through ThorChain, highlighting how these platforms can be used to obfuscate illicit funds.

跨链掉期虽然创新，但却引入了固有的安全风险。这些系统充当不同区块链之间的桥梁，通常会成为脆弱的攻击点。今年早些时候，拜百比（Bybit）利用大约有12亿美元的被盗以太坊流过胸腔，这强调了如何使用这些平台来混淆非法资金。

Broader Implications for Crypto Security

对加密安全性的更广泛影响

This incident serves as a stark reminder of the importance of robust personal wallet security. As the crypto landscape evolves, so do the tactics of malicious actors. Thorbjornsen’s advice to avoid storing sensitive keys on cloud services like iCloud or Google Drive is crucial.

这一事件引起了强大个人钱包安全的重要性。随着加密景观的发展，恶意演员的战术也随之发展。 Thorbjornsen的建议避免在诸如iCloud或Google Drive之类的云服务上存储敏感钥匙至关重要。

The industry is continually experimenting with security enhancements like zero-knowledge proofs, multi-party computation wallets, and AI-driven monitoring. However, attackers often stay one step ahead. The consensus is that users need to use multi-device threshold signature wallets, such as Vultisig, to protect assets more securely.

该行业正在不断尝试使用安全性增强，例如零知识证明，多方计算钱包和AI驱动监控。但是，攻击者通常会领先一步。共识是，用户需要使用多设备阈值签名钱包，例如Vultisig，以更安全地保护资产。

Final Thoughts: DeFi's Ongoing Balancing Act

最终想法：Defi的持续平衡行为

So, where does this leave us? DeFi is still a bit like the Wild West, full of potential but also fraught with risk. While million-dollar losses might seem modest compared to billion-dollar hacks, they send a clear message: proceed with caution. Keep those keys safe, stay vigilant, and remember that in the world of crypto, security is everyone's responsibility. Stay safe out there, folks!

那么，这将离开我们的地方？ Defi仍然有点像野外西部，充满潜力，但也充满了风险。尽管与十亿美元的黑客相比，百万美元的损失似乎是适中的，但他们发送了一个明确的信息：谨慎行事。保持这些钥匙的安全，保持警惕，并记住，在加密货币世界中，安全是每个人的责任。伙计们，保持安全！