In-depth Analysis of Bybit & Safe{Wallet} Attack Incident: How Can Enterprises Build a "Cryptocurrency Security Fortress"?

CN
深潮TechFlow
Follow
10 hours ago

Fundamental Vulnerability: "What You See ≠ What You Sign".

Author: Kane Wang, Safeheron CTO

Bybit Incident Overview

On February 21, 2025, at 22:13 (Singapore time), the Bybit team initiated a transfer from a cold wallet to a hot wallet using the multi-signature process of Safe{Wallet}. CEO Ben verified the target address through Safe{Wallet}, but during the final confirmation using Ledger, the attacker exploited the fact that Ledger only displayed contract interaction parameters and failed to show complete transaction information, resulting in the successful theft of nearly $1.5 billion in assets.

On February 26, 2025, Sygnia released the investigation results, confirming that the AWS S3 bucket of Safe{Wallet} was compromised by hackers who deployed malicious JavaScript code targeting Bybit, primarily aimed at effectively altering transaction content during the signing process. At the same time, Safe{Wallet} stated that the Safe smart contract was not affected.

This incident bears similarities to a recent attack that caused Radiant Capital to lose $4.5 million, serving as a wake-up call for the entire digital asset security industry.

Kane Wang, Safeheron CTO (the only open-source MPC digital asset self-custody security service provider in Asia), also provided an in-depth analysis of this incident:

Fundamental Vulnerability: "What You See ≠ What You Sign"

The Bybit incident revealed a fatal flaw in wallet architecture: there is a significant gap between the displayed transaction intent and the actual executed operation, a problem that is prevalent in many wallet systems:

A. Infrastructure Compromised

Attackers hijacked the wallet's UI (as in the case of Safe{Wallet}) or backend, allowing users to unknowingly approve malicious operations disguised as legitimate transactions. While smart contract-based wallet solutions (like Safe{Wallet}) excel in key sharding, they fail to fully address the issue of transaction integrity verification.

B. Ecosystem Compatibility Issues

The Bybit incident exposed a critical flaw in ecosystem compatibility: even when using secure devices like Ledger, the lack of seamless integration between different systems can still compromise security. In this attack:

  • Safe's UI was tampered with: The attacker manipulated the displayed target address to make it appear legitimate.

  • Ledger's offline verification failed: As the last line of defense, Ledger failed to effectively implement the "what you see is what you sign" verification mechanism. Due to its poor compatibility with Safe's UI, Ledger only displayed contract interaction parameters and did not clearly show transaction information, leading to critical transaction details not being verified.

The combination of Ledger and Safe was intended to ensure safer fund usage through a "cold + hot" integration, but we found deficiencies in the integrated security depth defense design, exposing multiple unexpected security blind spots.

This incident emphasizes that institutional wallets require more advanced security measures to ensure transaction authenticity and defend against complex attacks in high-risk environments. Adopting multi-layered security solutions to counter increasingly sophisticated attack methods is particularly important.

How Enterprises Can Build a "Cryptographic Security Fortress"

1. Multi-Device Signing:

During transaction signing, different signers should use different hardware devices to avoid having the same device handle all signing operations, thereby reducing the risk of a single point of failure.

2. Focus on Risk Exposure and Systemic Protection:

Security infrastructure service providers and exchanges should systematically recognize risk exposures and minimize risk points. In the Ledger + Safe combination, if the official Safe UI is maliciously tampered with or network hijacked, it will further expand the risk exposure. Exchanges need to clearly identify which aspects may pose security issues when selecting solutions and strengthen construction around key risk exposures. For example:

  • Security infrastructure service providers can concentrate risk exposure on the App and ensure it has independent "what you see is what you sign" capabilities and TEE (Trusted Execution Environment) verification. Even if the server is compromised, customer assets can remain secure. This means that even if internal personnel of the provider act maliciously or are hacked, as long as the wallet App functions normally, the provider cannot steal user keys or transfer customer assets.

Additionally, service providers should implement DevSecOps principles, building secure App environments and enforcing strict approval and verification processes to further ensure system security. Reducing risk exposure and implementing DevSecOps is also a consistent commitment of Safeheron.

  • Using cold wallet solutions, the cold wallet as a risk exposure can have friendly "what you see is what you sign" capabilities, whitelisting capabilities, and effective updates of wallet firmware to ensure the secure use of the wallet.

3. Fund Diversification Management:

Concentrating large amounts of funds in a single wallet poses a high risk; once security is compromised, it could lead to total loss. Therefore, we can set up "hot wallets," "warm wallets," and "cold wallets" for layered management based on fund dispatch frequency. When using cold wallets, further segmentation of fund usage can be implemented, allowing for effective fund isolation through reasonable layering.

If Bybit had distributed the $1.5 billion in ETH across wallets with different usage frequencies, it would have at least prevented hackers from achieving a "one-hit victory," resulting in such significant losses, and might have even escaped unscathed, as hackers may target other larger fish.

Institutional Wallet Security: Architecture Determines Survival

The security construction of institutional asset management requires continuous investment. We predict that the future trend of digital asset management will involve hot wallets adopting MPC-TSS multi-signature management, warm wallets combining multi-signature and risk control strategies for refined operations, and cold wallets using institutional-level solutions to achieve true offline "what you see is what you sign," continuously building a multi-layered protection system for user and institutional asset security.

About Safeheron

Safeheron is a digital asset security custody solution provider based on MPC+TEE and is the world's first and Asia's only open-source C++ MPC threshold signature protocol library company.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarPANews
2 hours ago
Can the MEME Act proposed by U.S. Congress members stop politicians from "harvesting retail investors"?
avatar
avatar链捕手
4 hours ago
Daily Report | The U.S. SEC announced that it has lifted the civil enforcement action against Coinbase; BitMEX is seeking to sell and has engaged investment bank Broadhaven to assist with the transaction.
avatar
avatar深潮TechFlow
5 hours ago
Bitcoin "discounted" to $80,000, and the boss of MicroStrategy actually said he would sell a kidney?
avatar
avatarCointelegraph中文
5 hours ago
The Hidden Buyers in Bitcoin's Decline: A Complete Picture of Institutional Accumulation Behavior
avatar
avatar深潮TechFlow
5 hours ago
Is the "sharp drop" in Bitcoin a response to "lack of economic demand"?
APP

X

Telegram

Facebook

Reddit

CopyLink