Axelar (AXL)

액셀라 네트워크 "보안 사고, 제3자 토큰 계약 무한 발행 취약점 탓"

https://t.co/yuqlijzjC6 https://t.co/WDeRkWgewK

我们从这些隐私协议中唯一获得的实用性，就是让利用者能够在不知晓这些资金去向（在几乎大多数情况下）的情况下转移非法资金 😭😂

简而言之，我们为利用者而不是为真实用户构建了隐私技术。只要看看 Aztec 协议的漏洞、Zcash 的安全缺陷、因非法行为者资金被 Circle 没收的 Zama 合约，以及现在的 Axelar 案例即可。

The Secret post-mortem is out. The real story: the people who modified that bridge didn't understand how its own authentication worked. No outside auditor was ever asked to check it. And for three years, no attacker understood it either. The bridge held until (my bet) an AI finally read the contract and saw what every human had missed.

The miss is almost dumb in hindsight. The contract started as an escrow bridge, a coat check: it only ever hands back a coat someone checked in earlier, so "is this deposit real?" was answered for free by the ticket logic.

Then it was forked to mint Axelar tokens instead. Minted tokens were never checked in, so the ticket logic didn't fit and got deleted. Whoever did that didn't realize those exact functions were the only thing verifying which chain a deposit came from. The Allow List that replaced them checked which token could be minted, never its source.

So the door was open from January 2023. Then someone spun up a fake chain, named a real asset like USDT, and minted $4.67M out of nothing.

The lesson isn't really about Secret. For three years, finding this took a human willing to read the whole contract, and nobody did. That barrier is gone. An AI reads all of it, closely, for cents. So if your contract is public and hasn't been through an AI audit, assume the attacker's AI is already reading it. Audit yours first.