AC25 Delegated Authorization Incident - PPX 旧主网系统资金链路
确认:主盗款路径已在文档口径内确认进入 Tornado Cash 170 ETH;该 BSC 攻击地址与 ETH 中转地址仍留有残留。
| 项 | 内容 |
|---|---|
| 系统版本 | 旧 PPX 主网系统:deployments/bscmainnet.latest.json |
| 阶段 | v2_referral_tree_import_completed |
| 部署/迁移记录时间 | 2026-06-02T21:47:08.405Z |
| Live read 区块 | 103818979 |
| 攻击执行地址 | 0x0c8b9d0a7e5Bd2E66270aD02FF1E4EFa6BADface |
| 原管理账户 | 0xAC25dA7FdEEEaDf2943EBF505Fa9739CBD111bD8 |
| 核心结论 | VaultDex/EcoReservePool 资产经 BSC 端换汇后通过 Relay 兑付到 ETH,再进入 Tornado Cash;已确认 170 ETH 最终进入 Tornado。 |
| 角色/模块 | 地址 | 说明 |
|---|---|---|
| 攻击执行地址 | 0x0c8b9d0a7e5Bd2E66270aD02FF1E4EFa6BADface | BSC 与 ETH 共用控制与兑付入口 |
| 原管理账户 | 0xAC25dA7FdEEEaDf2943EBF505Fa9739CBD111bD8 | AC25 源管理账户 |
| PPXToken | 0xF2E9573E972323395F839847F636AaF7a48F9Eb8 | 被转移 owner;后续配合升级与铸造/出售动作 |
| VaultDex | 0xfBB0B7c70D92DcD7D89b5eE110c6CBBD880Fcc23 | 升级后执行 withdrawAllERC20 提走 LP |
| EcoReservePool | 0xB48d44c12a02930b6aeFeB6edF0DF7D713b5805D | 升级后提取 PPX |
| PPX/USDT Pair | 0xEA5b2cd7EE62b7eCaD5DDF7Ea5FAbb676398d0e2 | LP 移除与 PPX 卖出发生地 |
| USDT | 0x55d398326f99059fF775485246999027B3197955 | BSC USDT |
| RelayRouterV3 | 0xb92fe925dc43a0ecde6c8b1a2709c170ec4fff4f | 跨链入金路由 |
| Relay Depository | 0x4cD00E387622C35bDDB9b4c962C136462338BC31 | BSC Relay USDC 沉淀地址 |
| ETH 中转地址 | 0x4d386677e9376fad04d77f7ec396412349013fd3 | 170.5 ETH 汇总并向 Tornado 入口转账 |
| Tornado Router | 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b | ETH 主网混币入口 |
flowchart TD
A["0x0c8b9d0a7e5Bd2E66270aD02FF1E4EFa6BADface\n攻击执行地址(BSC/ETH)\n当前余额:0.010957 ETH / 6.3353551376394925 BNB"]:::root
A --> B["VaultDex 升级与授权\nTx: 0x2b91ae8698386d12c6864fdc149dd12ca5e9d42595924ff9a14c3620e7398ac9"]
B --> C["VaultDex LP 被提取\n273,313.556268102896865457 LP"]
C --> D["Pair 移除 LP 交易\nTx: 0xff10ba8f63d79961406cf3eb5d3f4cfc7ac1518404ac8543af9da1d4010e17eb"]
D --> D1["USDT 107,090.287801266371388920 USDT"]
D --> D2["PPX 665,213.880751980119384825 PPX"]
D1 --> E1["聚合兑换 USDT→WBNB/BNB\n约 176.80813412 BNB\nTx: 0x7d87139adc73b0ee86edbcb31c04f97273484e249e1f42ebbb8aa08adedfe48b"]
D2 --> E2["PPX 卖出\n598,692.492676782072521746 PPX\nTx: 0x549fd7452188db2455ed33c7bbc0a9c9a79e6ec778a593eb49e91b4acc88a129"]
E2 --> E3["聚合兑换 PPX→USDT→WBNB\n64,878.714371268230024725 USDT\n约 107.408531416741681142 BNB\nTx: 0x549fd7452188db2455ed33c7bbc0a9c9a79e6ec778a593eb49e91b4acc88a129"]
E1 --> R1["Relay 入金 1\nTx: 0x57da935476b9736b2c66f35b9f3bc33a217a4b4109df1247d39794b668635c7c\n283.9607636306249 BNB\n171,397.554337959736585617 USDC"]
E3 --> R1
R1 --> H1["Relay兑付\n96.48075526441096 ETH\nTx: 0xd04260f9fd8e73f624b48d87a3f3a743f3dfe871c6f1a089d8097e6c3022dc59"]
A --> P1["EcoReservePool 提取\n97,904,957.57085137 PPX\nTx: 0x37c6787b621ab549dcc6820defcdacc6f264f451b1631418ddb3dbc77a497e66"]
P1 --> P2["PPX 卖出\n93,009,709.692308813333511353 PPX\nTx: 0xa85bfd1fa3c028c36f78b02ecb1daa472a19b071c4b3cea64d360ab789b141c6"]
P2 --> P3["聚合输出 217.83291908 BNB\nTx: 0xa85bfd1fa3c028c36f78b02ecb1daa472a19b071c4b3cea64d360ab789b141c6"]
P3 --> R2["Relay 入金 2\nTx: 0x8e44452b3be3c1b11c614769eb35f8aba859b9982d6aeedd40c513e0f70b05e2\n217.8985259187817 BNB\n131,859.853910491103306413 USDC"]
R2 --> H2["Relay兑付\n74.00756165402126 ETH\nTx: 0xedde5f18001806af736381de966d9b89e706518c28413902a477720a3c686f12"]
H1 --> A
H2 --> A
A --> M["ETH 中转地址\n0x4d386677e9376fad04d77f7ec396412349013fd3\n当前余额:0.475675 ETH"]:::mid
M --> I1["Tornado 入金\n100 ETH\nTx: 0x93e5e23844ec8ce4dcce021dfbd15a00b544228c008e007beeff70d43b5ad7df"]:::leaf
M --> I2["Tornado 入金\n10 ETH\nTx: 0x2261c713f1e923dbafa8f3eeb49037d1cbf3c0b0c877e0816980b890759ebf78"]:::leaf
M --> I3["Tornado 入金\n10 ETH\nTx: 0x35acef069fc16144e24cbb612a211750b4788fa95430c82548ba50fab303873f"]:::leaf
M --> I4["Tornado 入金\n10 ETH\nTx: 0x48f1e42350ce504f3e573f87375d4737cc88c226d814e0aaa99581baa7911559"]:::leaf
M --> I5["Tornado 入金\n10 ETH\nTx: 0xae76a609363ce8993f02600da901ea014f0cfd6ca2a503d6629e2e6f194f49ae"]:::leaf
M --> I6["Tornado 入金\n10 ETH\nTx: 0xc459b4f1dbeab3c84555f0de3062da4fdcd4cf1e3c917001c1abcdec2123d274"]:::leaf
M --> I7["Tornado 入金\n10 ETH\nTx: 0xf8dbd0bc0ecf3399824fb3fb8c63ca98b08ad3082f41d05066a45b923100c5dd"]:::leaf
M --> I8["Tornado 入金\n10 ETH\nTx: 0xebd5e482d70713da7679f2a471a2d9d204570dac872174d7ab5007fcfb077f4d"]:::leaf
A --> X["Tornado 出金强候选路径(继续追踪)\n约 100+70 ETH"]:::branch
X --> Y["0xb60db028df45d26650d60a3c3fb23227aa3cc144\n入账约169.2605927139 ETH\n剩余约 95.7506560646 ETH"]
Y --> Z["0x24c926c6eabede827e163072b16ce81e9f6a9604\n外放 73.51 ETH\nTx: 0x4767fc6ad88eb3a78396667a03272c1f65a6e60c8d3a39d0a123afb8fda9d554"]
Z --> W["0x922020d6a3ac1d002cdf64f303bc1aad64ca7f05\n分三笔到终点"]
W --> W1["分支 Tx1:32 ETH\nTx: 0xcb0e910f2f92b02851c9b1bc3aac8ae284116454ca477e1dcc2dfc19a76b5c62"]
W --> W2["分支 Tx2:31 ETH\nTx: 0x755e4b8395928bfce61d78d449e623c94eac0a3601248ab97f4e385fd6e82587"]
W --> W3["分支 Tx3:10.509920327 ETH\nTx: 0xa5ab9e1d7dbd5b0807d6e77a68417914f3799987f7e8713a1c9d4096ffa32968"]
W1 --> V1["0x3563015e9f5694afe5d8cd86233f77557da704cc\n32.000017591 ETH"]:::leaf
W2 --> V2["0x3563015e9f5694afe5d8cd86233f77557da704cc\n30.999990938 ETH"]:::leaf
W3 --> V3["0x3563015e9f5694afe5d8cd86233f77557da704cc\n10.509893472 ETH"]:::leaf
click B "https://bscscan.com/tx/0x2b91ae8698386d12c6864fdc149dd12ca5e9d42595924ff9a14c3620e7398ac9" "BSC 交易"
click D "https://bscscan.com/tx/0xff10ba8f63d79961406cf3eb5d3f4cfc7ac1518404ac8543af9da1d4010e17eb" "BSC 交易"
click E1 "https://bscscan.com/tx/0x7d87139adc73b0ee86edbcb31c04f97273484e249e1f42ebbb8aa08adedfe48b" "BSC 交易"
click E2 "https://bscscan.com/tx/0x549fd7452188db2455ed33c7bbc0a9c9a79e6ec778a593eb49e91b4acc88a129" "BSC 交易"
click E3 "https://bscscan.com/tx/0x549fd7452188db2455ed33c7bbc0a9c9a79e6ec778a593eb49e91b4acc88a129" "BSC 交易"
click R1 "https://bscscan.com/tx/0x57da935476b9736b2c66f35b9f3bc33a217a4b4109df1247d39794b668635c7c" "BSC 交易"
click H1 "https://etherscan.io/tx/0xd04260f9fd8e73f624b48d87a3f3a743f3dfe871c6f1a089d8097e6c3022dc59" "Etherscan 交易"
click P1 "https://bscscan.com/tx/0x37c6787b621ab549dcc6820defcdacc6f264f451b1631418ddb3dbc77a497e66" "BSC 交易"
click P2 "https://bscscan.com/tx/0xa85bfd1fa3c028c36f78b02ecb1daa472a19b071c4b3cea64d360ab789b141c6" "BSC 交易"
click P3 "https://bscscan.com/tx/0xa85bfd1fa3c028c36f78b02ecb1daa472a19b071c4b3cea64d360ab789b141c6" "BSC 交易"
click R2 "https://bscscan.com/tx/0x8e44452b3be3c1b11c614769eb35f8aba859b9982d6aeedd40c513e0f70b05e2" "BSC 交易"
click H2 "https://etherscan.io/tx/0xedde5f18001806af736381de966d9b89e706518c28413902a477720a3c686f12" "Etherscan 交易"
click I1 "https://etherscan.io/tx/0x93e5e23844ec8ce4dcce021dfbd15a00b544228c008e007beeff70d43b5ad7df" "Etherscan 交易"
click I2 "https://etherscan.io/tx/0x2261c713f1e923dbafa8f3eeb49037d1cbf3c0b0c877e0816980b890759ebf78" "Etherscan 交易"
click I3 "https://etherscan.io/tx/0x35acef069fc16144e24cbb612a211750b4788fa95430c82548ba50fab303873f" "Etherscan 交易"
click I4 "https://etherscan.io/tx/0x48f1e42350ce504f3e573f87375d4737cc88c226d814e0aaa99581baa7911559" "Etherscan 交易"
click I5 "https://etherscan.io/tx/0xae76a609363ce8993f02600da901ea014f0cfd6ca2a503d6629e2e6f194f49ae" "Etherscan 交易"
click I6 "https://etherscan.io/tx/0xc459b4f1dbeab3c84555f0de3062da4fdcd4cf1e3c917001c1abcdec2123d274" "Etherscan 交易"
click I7 "https://etherscan.io/tx/0xf8dbd0bc0ecf3399824fb3fb8c63ca98b08ad3082f41d05066a45b923100c5dd" "Etherscan 交易"
click I8 "https://etherscan.io/tx/0xebd5e482d70713da7679f2a471a2d9d204570dac872174d7ab5007fcfb077f4d" "Etherscan 交易"
click Z "https://etherscan.io/tx/0x4767fc6ad88eb3a78396667a03272c1f65a6e60c8d3a39d0a123afb8fda9d554" "Etherscan 交易"
click W1 "https://etherscan.io/tx/0xcb0e910f2f92b02851c9b1bc3aac8ae284116454ca477e1dcc2dfc19a76b5c62" "Etherscan 交易"
click W2 "https://etherscan.io/tx/0x755e4b8395928bfce61d78d449e623c94eac0a3601248ab97f4e385fd6e82587" "Etherscan 交易"
click W3 "https://etherscan.io/tx/0xa5ab9e1d7dbd5b0807d6e77a68417914f3799987f7e8713a1c9d4096ffa32968" "Etherscan 交易"
click V1 "https://etherscan.io/tx/0x3b07ae8034db666db54783b82e145f45b7e06d20d427503227d1f9a821a0b47f" "Etherscan 交易"
click V2 "https://etherscan.io/tx/0x1b5ea5bc4cebeeb8318615c42d6c6f5633f9b05dd92ba6ac8d3afff2d049c87c" "Etherscan 交易"
click V3 "https://etherscan.io/tx/0x1abdaa075e2b214d3d8d8613c02159e85e34be740a6a08da46a66a2a8ff8be81" "Etherscan 交易"
classDef root fill:#312e81,stroke:#818cf8,color:#e0e7ff
classDef mid fill:#1f2937,stroke:#60a5fa,color:#bfdbfe
classDef branch fill:#1f2937,stroke:#34d399,color:#d1fae5
classDef leaf fill:#111827,stroke:#f59e0b,color:#fde68a
文档给出的候选接收链路如下:
| 步骤 | 链 | 路径 | 金额 | 说明 |
|---|---|---|---|---|
| 1 | ETH | 0x4d386677e9376fad04d77f7ec396412349013fd3 → 0xb60db028df45d26650d60a3c3fb23227aa3cc144 | 共 169.2605927139 ETH 中入账 95.7506560646 ETH | 该地址后续继续分发 |
| 2 | ETH | 0xb60db028df45d26650d60a3c3fb23227aa3cc144 → 0x24c926c6eabede827e163072b16ce81e9f6a9604 | 73.51 ETH | 第一段外放 |
| 3 | ETH | 0x24c926c6eabede827e163072b16ce81e9f6a9604 → 0x922020d6a3ac1d002cdf64f303bc1aad64ca7f05 | 32 ETH + 31 ETH + 10.509920327 ETH | 分三笔 |
| 4 | ETH | 0x922020d6a3ac1d002cdf64f303bc1aad64ca7f05 → 0x3563015e9f5694afe5d8cd86233f77557da704cc | 32.000017591 ETH + 30.999990938 ETH + 10.509893472 ETH | 分三笔 |
| 5 | ETH | 终点 | 0x3563015e9f5694afe5d8cd86233f77557da704cc 约 120.6918915071 ETH | 非完全清空式转移 |
对“100ETH + 7x10ETH”强候选路径中可核验到的终点分账如下(完整地址与交易):
| 账户 | 对应交易 | 金额(ETH) | 说明 |
|---|---|---|---|
| 0xb60db028df45d26650d60a3c3fb23227aa3cc144 | 自 0x4d3866... 到该分支(强候选入口) | 169.2605927139 | 该入口口径上报到的可核验总额(约170ETH) |
| 0x3563015e9f5694afe5d8cd86233f77557da704cc | 0x3b07ae8034db66... | 32.000017591 | 来自 0x922020... 分笔 Tx1 |
| 0x3563015e9f5694afe5d8cd86233f77557da704cc | 0x1b5ea5bc4cebe... | 30.999990938 | 来自 0x922020... 分笔 Tx2 |
| 0x3563015e9f5694afe5d8cd86233f77557da704cc | 0x1abdaa075e2b21... | 10.509893472 | 来自 0x922020... 分笔 Tx3 |
| 0x3563015e9f5694afe5d8cd86233f77557da704cc | 汇总(3笔) | 73.509902001 | 当前链路内可核验到的累计转入 |
| 0xb60db028df45d26650d60a3c3fb23227aa3cc144 | 链上余额快照口径 | 95.7506560646 | 该地址在本强候选分支内的剩余未继续核验部分(非完全清空) |
| 项目 | 链 | 金额 | 说明 |
|---|---|---|---|
| 文档列示 BSC 残留(攻击地址) | BSC | 约 6.3353551376394925 BNB | 未并入 170 ETH 主线 |
| 文档列示 ETH 残留(攻击地址) | ETH | 约 0.010957 ETH | 非最终大额 |
| 文档列示 ETH 中转残留 | ETH | 约 0.475675 ETH | 在 0x4d386677e9376fad04d77f7ec396412349013fd3 侧 |
说明:该树图已补齐可核验的完整地址、完整交易哈希与金额;“7x10 + 100 ETH”链路已按完整交易明细呈现。