Author: Frank, PANews
On February 21, 2025, the cryptocurrency exchange Bybit suffered an epic hacker attack, with assets worth $1.46 billion stolen by the North Korean hacker group Lazarus. While recovering assets is important, determining the attack path is crucial to prevent future incidents. On February 27, Bybit released a forensic report on the hack, which pointed to a vulnerability in the Safe infrastructure as the cause of the stolen funds. However, it seems that Safe is unwilling to accept this accusation. In a statement, they acknowledged that the developers were compromised but attributed the main cause to the sophisticated methods of the North Korean hackers and operational errors by Bybit. This led to a "Rashomon" debate over who bears more responsibility, sparking a major discussion in the industry about trust in infrastructure, security paradigms, and the human element in these games.
The Attack Originated from Safe{Wallet} Frontend Cloud Service Being Compromised
According to two investigation reports released by Bybit (the preliminary report and the interim investigation report), further analysis of Safe{Wallet} resources revealed two snapshots of JavaScript resources taken on February 19, 2025. Review of these snapshots showed that the first snapshot contained the original, legitimate Safe{Wallet} code, while the second snapshot contained resources with malicious JavaScript code. This indicates that the malicious code used to create fraudulent transactions directly originated from Safe{Wallet}'s AWS infrastructure.
The report's conclusion states: Based on the investigation results of Bybit's signer machines and the cached malicious JavaScript payload found in the Wayback Archive, we strongly conclude that Safe.Global's AWS S3 or CloudFront account/API keys may have been compromised.
In summary, the initial source of this attack was hackers compromising the devices of Safe{Wallet} developers, altering the frontend JavaScript files in the AWS S3 bucket, and implanting targeted malicious code against Bybit's cold wallet addresses. Previously, Safe had also released a simple investigation report stating that no code vulnerabilities or malicious dependencies (i.e., supply chain attacks) were found, after which Safe conducted a comprehensive review and suspended Safe{Wallet} functionality. The results of this investigation seem to overturn Safe's earlier findings.
Safe's Evasive Statement Raises More Questions
As of now, Bybit has not stated what responsibility Safe should bear in this incident, but discussions about Safe's security vulnerabilities have erupted on social media following the report's release, with some voices suggesting that Safe should be held accountable and provide compensation.
Safe's official stance on this report is clearly one of disagreement. In its official statement, Safe divided responsibility into three levels: on the technical side, it emphasized that the smart contracts were not attacked, highlighting the product's security. On the operational side, it acknowledged that the developers' devices were compromised, leading to the AWS key leak, but blamed it on a state-level attack by North Korean hackers. On the user side, it advised users to "remain vigilant when signing transactions," implying that Bybit did not adequately verify transaction data.
However, this response seems to evade the core issues, as the report indicates several failures on Safe's part during this process:
Loss of Control Over Permissions: The attacker gained AWS permissions by compromising the developer's device, exposing that the Safe team did not implement the principle of least privilege. For instance, a single developer could directly modify production environment code without a code change monitoring mechanism.
Negligence in Frontend Security: Basic protective measures such as SRI (Subresource Integrity) were not enabled.
Supply Chain Dependency Risks: The attack path (developer device → AWS → frontend code) demonstrates Safe's over-reliance on centralized cloud services, conflicting with the decentralized security philosophy of blockchain.
Additionally, the industry has raised many questions about Safe's statement. Binance founder CZ posed five technical questions (such as the specific method of compromising the developer's device and the reasons for the loss of control over permissions), directly pointing to the lack of transparency in Safe's statement. Safe did not disclose details of the attack chain, preventing the industry from implementing targeted defenses.
Token's Strange Surge Amidst a Nearly 70% Drop in Daily Active Users
Another major point of contention in the community is whether Safe should compensate Bybit for the losses incurred in this incident. Some users believe that Safe's infrastructure vulnerabilities led to the attack, and thus Safe should be responsible for compensation. Some even suggested that Safe's predecessor company, Gnosis, should bear joint liability for the losses. Safe was initially developed as the Gnosis Safe multi-signature protocol by the Gnosis team in 2017 and became an independent operation in 2022. Gnosis had completed an ICO financing of 250,000 ETH in 2017 and currently holds 150,000 ETH, making it an ETH whale.
However, others argue that the primary responsibility lies with Bybit itself. On one hand, managing a cold wallet with billions in assets necessitates investing in research and development to create a series of secure infrastructures. On the other hand, Bybit seems to be using Safe's services for free and has not paid a subscription fee, so from this perspective, Safe may not have an obligation to bear responsibility.
After releasing the investigation report, Bybit did not demand any financial compensation from Safe.
While the industry continues to debate responsibility, the capital market has played out an absurd scenario. Safe's official token seems to have received unusual attention due to this incident, with the SAFE token rising from $0.44 to $0.69 on February 27, marking a maximum increase of about 58% in just 10 hours. However, from an investment logic standpoint, this incident primarily has a negative impact on Safe's brand, and the rise may just be a result of short-term market sentiment.
Data from February 27 shows that Safe's total managed assets exceed $100 billion, and the silence regarding the details of the vulnerabilities is shaking its credibility as an industry infrastructure.
In terms of daily active user data, it is evident that Safe has suffered a significant impact following this incident. Compared to 1,200 daily active addresses on February 12, this number dropped to 379 on February 27, a decline of nearly 70%.
Furthermore, after the exposure of the centralized risks in the frontend, the community has once again focused on the security mechanisms of the frontend. ICP founder Dominic Williams stated that the North Korean hacker group recently successfully stole $1.5 billion from Bybit, primarily exploiting vulnerabilities in the Safe{Wallet} web interface, which is hosted in the cloud rather than on a smart contract. Williams criticized some Web3 projects for only operating on "fake on-chain," leading to security risks, and suggested using ICP (Internet Computer) for on-chain computation, data storage, and user experience verification to enhance security. He proposed migrating Safe{Wallet} to ICP and adopting cryptographic authentication mechanisms and multi-party consensus governance (such as SNS DAO) to improve security.
Looking back at the entire incident, it appears to be an isolated event meticulously planned by North Korean hackers, but it still exposes security vulnerabilities in Safe's multi-signature wallet regarding permission design and supply chain issues. From a brand development perspective, the attempt to hastily distance itself from the situation to maintain a security myth may backfire, leading to more public scrutiny. Perhaps Safe would better demonstrate the attitude of a giant in the crypto security field by promptly acknowledging its mistakes and implementing corresponding measures. Additionally, disclosing the details of the vulnerabilities as soon as possible could further help the industry strengthen self-examination and prevention against similar vulnerabilities.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
