Although the fundamental cause of the interface tampering in the Bybit incident has not yet been confirmed, device intrusion may be a key factor.

Written by: CertiK

Incident Overview

On February 21, 2025, at 02:16:11 UTC, Bybit's Ethereum cold wallet (0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4[1]) was compromised due to a malicious contract upgrade, resulting in the theft of funds. According to a statement from Bybit CEO Ben Zhou[2], the attacker tricked the cold wallet signers into incorrectly signing a malicious transaction through a phishing attack. He mentioned that the transaction was disguised as a legitimate operation: the Safe{Wallet} interface appeared as a normal transaction, but the data sent to the Ledger device had been altered to malicious content. The attacker successfully obtained three valid signatures, replacing the implementation contract of the Safe multi-signature wallet with a malicious contract, thereby stealing funds. This vulnerability resulted in a loss of approximately $1.46 billion, making it the largest security incident in Web3.0 history.

Attack Transaction Records

Upgrade of the Safe wallet implementation contract to a malicious contract:

https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

Multiple transactions transferring funds from Bybit's cold wallet:

• 401,346 ETH[3]
• 15,000 cmETH[4]
• 8,000 mETH[5]
• 90,375 stETH[6]
• 90 USDT[7]

Main Addresses

• Bybit multi-signature cold wallet (victim) [8]
• Attacker's initial attack operation address [9]
• Malicious implementation contract [10]
• Attack contract used during the Safe "delegate call" process [11]

Attack Process

1. The attacker deployed two malicious contracts three days before the attack (February 18, 2025, UTC).

• These contracts contained backdoor functions for fund transfers[12]
• And code to modify storage slots for contract upgrades[13]

1. On February 21, 2025, the attacker lured the owners (signers) of three multi-signature wallets into signing a malicious transaction, upgrading the Safe implementation contract to the previously deployed malicious contract with backdoors[14]: https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

2. The "operation" field value in the attack transaction was "1", indicating that the GnosisSafe contract executed a "delegatecall", while "0" indicates "Call".

4. This transaction executed a delegated call to another contract deployed by the attacker (0x96221423681a6d52e184d440a8efcebb105c7242[15]), which contained a "transfer()" function that modified the first storage slot of the contract "uint256 _transfer" upon invocation.

In the GnosisSafe contract, the first storage slot contains the "masterCopy" address, which is the implementation contract address of the GnosisSafe contract.

By modifying the first storage slot of the Gnosis Safe contract, the attacker was able to change the implementation contract address (i.e., the "masterCopy" address).

From the transaction details, it can be seen that the attacker set the "masterCopy" address to 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516, which contains the "sweepETH()" and "sweepERC20()" functions described below.

5. The contract upgrade method used by the attacker was unconventional, specifically designed to avoid detection of malicious intent. From the perspective of Bybit signers, the signed data appeared to be a simple "transfer(address, uint256)" function call, rather than a potentially suspicious "upgrade" function.

6. The upgraded malicious implementation contract[16], which contained the backdoor functions "sweepETH()" and "sweepERC20()", allowed the attacker to transfer all assets from the cold wallet, ultimately resulting in the theft of $1.4 billion in ETH.

Vulnerability Analysis

The root cause of this vulnerability lies in a successful phishing attack. The attacker tricked the wallet signers into signing malicious transaction data, ultimately leading to the malicious upgrade of the contract. This upgrade allowed the attacker to control the cold wallet and transfer all its funds. The specific planning and execution methods of the phishing attack remain unclear.

According to Bybit CEO Ben Zhou's explanation during a live broadcast on the X platform two hours after the vulnerability occurred, the Bybit team was executing a routine asset transfer process from cold wallet to hot wallet at the time of the incident, and he himself was the last signer of the Safe multi-signature transaction. He explicitly pointed out that the transaction was disguised— all signers saw the address and transaction data as correct content on the Safe{Wallet} interface, and the URL had been verified by the official Safe{Wallet}. However, when the transaction data was sent to the Ledger hardware wallet for signing, the actual content had been tampered with. Ben Zhou also mentioned that he did not verify the transaction details a second time on the Ledger device interface. There is currently no conclusion on how the attacker tampered with the Safe{Wallet} interface. According to information disclosed by Arkham[17], on-chain analyst @zachxbt has submitted conclusive evidence indicating that the attack was orchestrated by the LAZARUS hacker group.

Lessons Learned

This incident is reminiscent of the Radiant Capital vulnerability incident on October 16, 2024 (Reference 1[18], Reference 2[19]), which resulted in the theft of approximately $50 million. At that time, the attacker compromised the developer's device, tampering with the Safe{Wallet} front-end interface to display legitimate transaction data, while the actual data sent to the hardware wallet was malicious content. Such tampering could not be detected in manual interface reviews or Tenderly simulation tests. The attacker initially impersonated a trusted contractor, sending a compressed PDF file containing malware (establishing a macOS persistent backdoor) to the target via Telegram messages, thereby gaining access to the device.

Although the fundamental cause of the interface tampering in the Bybit incident has not yet been confirmed, device intrusion may be a key factor (similar to the Radiant Capital incident). Both incidents reveal two major prerequisites for the success of the attack: device intrusion and blind signing behavior. Given the increasing frequency of such attacks, we need to focus on analyzing the following two attack methods and mitigation strategies:

1. Device Intrusion:

The spread of malware through social engineering to compromise victim devices remains a primary means of large-scale attacks in the Web3.0 space. Nation-state hacker groups (such as the LAZARUS GROUP) often utilize this method to breach initial defenses. Device intrusion can effectively bypass security controls.

Mitigation Strategies:

• Strengthen device security: Establish strict endpoint security policies and deploy EDR solutions (such as CrowdStrike).
• Dedicated signing devices: Use dedicated devices in isolated environments for transaction signing to avoid risks associated with multi-purpose devices.
• Temporary operating systems: Configure non-persistent operating systems (such as temporary virtual machines) for critical operations (like multi-signature transactions) to ensure a clean operating environment.
• Phishing simulation drills: Regularly conduct phishing attack simulations for high-risk roles (such as crypto asset operators and multi-signature signers) to enhance security awareness.
• Red team exercises: Simulate attacker tactics to assess the effectiveness of existing security controls and strengthen them accordingly.

2. Blind Signing Vulnerability:

Blind signing refers to users signing transactions without fully verifying the transaction details, leading to the accidental authorization of malicious transactions. Such unsafe practices are prevalent among DeFi users and are particularly dangerous for Web3.0 institutions managing large assets. The Ledger hardware wallet has recently initiated discussions on this issue (Reference 1[20], Reference 2[21]). In the Bybit incident, the malicious interface concealed the true intent of the transaction, causing the tampered data to be sent to the Ledger device, while the signer did not verify the details on the device, ultimately triggering the vulnerability.

Mitigation Strategies:

• Avoid unverified Dapps: Only interact with trusted platforms; access official platforms through bookmarks to avoid phishing links.
• Hardware wallet secondary verification: Confirm transaction details (recipient address, amount, function call) item by item on the screen of devices like Ledger to ensure they match expectations.
• Transaction simulation: Simulate transactions before signing to observe their outcomes and verify their correctness.
• Use non-visual interfaces: Choose command-line tools (CLI) to reduce reliance on third-party graphical interfaces; CLI lowers the risk of UI manipulation and provides a more transparent view of transaction data.
• Terminate on anomalies: If any part of the transaction appears abnormal, immediately terminate the signing process and initiate an investigation.
• Dual device verification mechanism: Use a separate device to independently verify transaction data before signing. This device should generate a readable signature verification code that matches the data displayed on the hardware wallet.

After the tens of millions of dollars lost in the Radiant Capital and WazirX2[22] incidents, Bybit became the victim of the largest theft in Web3.0 history. The frequency and complexity of such attacks continue to escalate, exposing significant flaws in the industry's operational security. Attackers are systematically targeting high-value targets. As adversaries' capabilities improve, centralized exchanges (CEX) and Web3.0 institutions must comprehensively enhance their security measures and remain vigilant against the iterative evolution of external threats.

[1] :https://etherscan.io/address/0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4

[2] :https://x.com/Bybit_Official/status/1892986507113439328

[3] :https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c

[4] :https://etherscan.io/tx/0x847b8403e8a4816a4de1e63db321705cdb6f998fb01ab58f653b863fda988647

[5] :https://etherscan.io/tx/0xbcf316f5835362b7f1586215173cc8b294f5499c60c029a3de6318bf25ca7b20

[6] :https://etherscan.io/tx/0xa284a1bc4c7e0379c924c73fcea1067068635507254b03ebbbd3f4e222c1fae0

[7] :https://etherscan.io/tx/0x25800d105db4f21908d646a7a3db849343737c5fba0bc5701f782bf0e75217c9

[8] :https://etherscan.io/address/0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4

[9] :https://etherscan.io/address/0x0fa09c3a328792253f8dee7116848723b72a6d2e

[10] :https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

[11]:https://etherscan.io/address/0x96221423681A6d52E184D440a8eFCEbB105C7242#code

[12] :https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

[13] :https://etherscan.io/address/0x96221423681A6d52E184D440a8eFCEbB105C7242#code

[14] :https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

[15] :https://etherscan.io/address/0x96221423681A6d52E184D440a8eFCEbB105C7242

[16] :https://etherscan.io/address/0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516

[17]:https://x.com/arkham/status/1893033424224411885

[18] :https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081

[19] :https://medium.com/@RadiantCapital/radiant-capital-incident-update-e56d8c23829e

[20] :https://www.ledger.com/academy/topics/ledgersolutions/what-is-clear-signing

[21] :https://www.youtube.com/watch?v=-O7aX6vUvs8

[22]:https://wazirx.com/blog/wazirx-cyber-attack-key-insights-and-learnings

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。