BlockSec: DBXen contract attacked, loss of approximately $150,000

CoinFeed reported on March 12th that, according to BlockSec Phalcon monitoring, the DBXen contract suffered an attack this morning, with estimated losses of approximately $150,000. The root cause lies in the inconsistent sender identity under ERC2771 token transactions. In the `burnBatch()` function, the `gasWrapper()` decorator uses `_msgSender()` (the actual user) to update the state, while the callback function `onTokenBurned()` uses `msg.sender` (the forwarder). This causes `accCycleBatchesBurned` to record the user, but `lastActiveCycle` incorrectly updates the forwarder. This inconsistency breaks the logic of `claimFees()` and `claimRewards()`.