- Bybit was not hacked directly
- The problem was in the multi-sig service Safe
- Bybit used Safe to confirm transactions
- Bybit’s systems were not compromised
Almost a week after the Bybit security incident, details have emerged from two cybersecurity companies, Verichains and Sygnia Labs, which have confirmed the assumption that Bybit was not compromised and the vulnerability was on the side of the multi-sig service Safe.
So Bybit Was Not Hacked?
Recall that Bybit turned out to be a record-breaking $1.4B loss incident but also showed record-breaking speed of rebalancing and unprecedented support from partners and big players in the crypto industry.
Now, the buzz has started to go down and the ZachXBT investigation that began pointing to the role of North Korean hackers, namely Lazarus Group, is ongoing and has received new details.
Two leading cybersecurity firms Verichains and Sygnia Labs conducted independent investigations and concluded that the accusations against the technical security of Bybit’s systems were probably hasty.
Although when the details of the incident were shared by Bybit CEO Ben Zhou we immediately assumed that the problem might not be on the exchange’s side, but rather the multi-sig Safe service they use for regular transfers of funds from their cold wallets to hot wallets.
To elaborate, their report points to the following sequence:
Proxy wallet management compromise
- At 14:13:35 UTC, an attacker initiates a transaction through SafeWallet
- Uses delegatecall to a GnosisSafe contract that trusts SafeWallet
Spoofs the logic of the proxy contract
- A malicious contract executes consecutive delegatecalls
- The storage slot of the proxy implementation (control contract) is changed
- The new code gives the attacker full control over the wallet
Funds withdrawal
- The attacker signs transactions on behalf of the hot wallet
- Funds are transferred to his controlled addresses
Bybit CEO Ben Zhou also shared the findings of Verichains and Sygnia Labs, which asserted not only that the problem was likely on the Safe services side, but that Bybit’s infrastructure was not compromised.
However, how exactly the attackers were able to introduce malware into the signing infrastructure, such as through a chain of vendors, updates, or an insider, so the investigation is ongoing.
Conclusion
These are probably not the final details, however, it is very important that they speak in favor of Bybit, one of the largest crypto exchanges in the world responsible for billions of dollars worth of trading.
Be aware and stay tuned for updates on the rapidly evolving regulations and crypto landscape.
The information provided in this article is for informational and educational purposes only and does not constitute financial, investment, or trading advice. Any actions you take based on the information provided are solely at your own risk. We are not responsible for any financial losses, damages, or consequences resulting from your use of this content. Always conduct your own research and consult a qualified financial advisor before making any investment decisions. Read more
