BTC $62,632.23 -0.62%
ETH $1,787.96 +0.37%
BNB $569.73 +0.11%
XRP $1.06 -0.83%
SOL $75.03 -1.69%
TRX $0.3246 -1.57%
DOGE $0.0720 -0.32%
ADA $0.1585 -0.68%
BCH $236.21 -0.82%
LINK $7.92 -0.76%
HYPE $63.57 -2.18%
AAVE $96.04 +0.84%
SUI $0.7311 -0.11%
XLM $0.1780 -3.05%
ZEC $506.32 -1.67%
BTC $62,632.23 -0.62%
ETH $1,787.96 +0.37%
BNB $569.73 +0.11%
XRP $1.06 -0.83%
SOL $75.03 -1.69%
TRX $0.3246 -1.57%
DOGE $0.0720 -0.32%
ADA $0.1585 -0.68%
BCH $236.21 -0.82%
LINK $7.92 -0.76%
HYPE $63.57 -2.18%
AAVE $96.04 +0.84%
SUI $0.7311 -0.11%
XLM $0.1780 -3.05%
ZEC $506.32 -1.67%

GoPlus:Lumi Finance 遭襲主因系智能帳戶合約簽名驗證存在缺陷

2026-07-14 16:33:58
收藏

ChainCatcher 消息,据 GoPlus 分析,Arbitrum 上的 Lumi Finance 于 7 月 13 日遭攻擊,損失約 27 萬美元。

漏洞源於 Sodium 智能帳戶合約(ERC-4337)中的 validateUserOp 函數在調用 _validateSignature 驗證簽名時存在邏輯缺陷------執行 isValidSignatureNow 時,signer 參數傳遞的是攻擊者地址,調用 ECDSA.tryRecover 出錯後未 revert,轉而調用攻擊合約中的 isValidSignature 函數並通過驗證。攻擊者利用該漏洞在 UserOperation 驗證期間執行 Token approve 操作,未經支付方允許即從多個智能帳戶中獲取 ERC20 代幣的批准權限。

app_icon
ChainCatcher 與創新者共建Web3世界