The crypto exchange Bybit reported a hack in the late night of the 21st, with a total value of nearly $147 million in ETH, stETH, cmETH and mETH stolen, making it one of the largest crypto heists in recent years.
On Saturday, according to the attack method targeting the multi-signature wallet, the founder of the blockchain security company Slowmist, Yu Xian, pointed the finger at the notorious North Korean hacker organization Lazarus Group in the crypto circle, and the method is similar to the hacking incidents of WazirX, Radiant Capital and DMM last year.
Bybit's Safe multi-signature wallet was hacked by North Korean hackers
Yu Xian analyzed the attack method of this incident:
The hackers first deployed a malicious contract on February 19, and on February 21, they used the three owners of Bybit's Safe multi-signature cold wallet to sign and replace the Safe contract with a malicious contract, and modified the logic of the malicious contract to ultimately call the backdoor function in the malicious contract to steal the funds from Bybit's multi-signature cold wallet.
The cold wallet team OneKey supplemented that the hackers had deployed the malicious backdoor contract three days in advance, most likely had already confirmed that the three multi-signature computers of Bybit had been compromised, and had the attack conditions. Then, when the multi-signature staff executed the daily transfer or other signing operations, the signing content was replaced.
The staff saw on the web page that it was a normal transfer or other transaction - unaware that it had been changed to a "replace the Safe contract with the previously deployed malicious contract" transaction. And so the tragedy occurred.
Safe: Will temporarily remove integration with Ledger
Since Bybit was using the Safe multi-signature wallet, and several Ledger cold wallets were also manually signed, and this multi-signature method was also the safest crypto asset management method recommended by Ethereum co-founder V God Vitalik, but Bybit was still hacked, this has also made the crypto community start to question the security of multi-signature wallets, including Safe and other multi-signature wallet protocols, which are now quite nervous.
After the incident broke out, the Safe team quickly stated that they were cooperating with the Bybit team to investigate and stop certain functions to ensure security. Bybit responded that the cold wallet UI displayed the correct transaction information, but malicious transactions with all valid signatures were executed on-chain. However, Safe's preliminary investigation found no evidence that the Safe wallet front-end itself was compromised.
Safe announced earlier today (24th) that it will begin to restore services in phases within the next 24 hours, and the restored Safe wallet will include additional security measures:
- Additional verification of transaction hashes, data and signatures
- Enhanced monitoring alerts
- Temporarily removed the local Ledger integration, as this was the signing device/method used in the attack on Bybit
Once restored, users may experience slightly longer transaction times or performance issues due to the additional checks running.
As always, please remain vigilant when signing transactions and verify that you are signing the correct transaction data.
Four major doubts remain to be clarified
However, in this Bybit incident, the most puzzling point for the community and security experts is how the hackers obtained the three signatures of Bybit's multi-signature wallet? The Slowmist team also stated in their preliminary investigation that there are still several doubts that need to be clarified by the official investigation:
1. Routine ETH transfer
- Did the attackers previously obtain the operational information of Bybit's internal finance team and grasp the timing of the ETH multi-signature cold wallet transfer?
- Through the Safe system, did they lure the signers to sign the malicious transaction on a forged interface? Was the Safe front-end system compromised and taken over?
2. Safe contract UI was tampered with
- The signers saw the correct addresses and URLs on the Safe interface, but the actual transaction data had been tampered with?
- The key question is: who initiated the signing request first? How secure were their devices?
Expert: Ledger should add transaction verification function with computer software on the trading interface
Regarding this largest crypto hacking incident in recent years, an anonymous expert shared his analysis and views with Forkast:
Ledger's cold wallet screen will display the request during the transaction, but now it mainly displays the transaction code, which most people can't understand.
We usually judge the timing of the transaction display on the cold wallet and the timing of the transaction request on the computer to be consistent (that is, I clicked the transaction on the computer, and the cold wallet then popped up the confirmation message, so I thought it was the same transaction)
There is no way to confirm from the cold wallet screen whether the transaction is the same as the one confirmed on the web page or client, which gives hackers an opportunity to attack
Hackers may have planted a Trojan on the relevant computer, and when they detected that Bybit was about to transfer a large amount of money, they sent a similar transaction at a similar time, causing Bybit to think this was the transaction they had requested on the computer and to confirm it on the cold wallet, resulting in the unfortunate incident.
In the future, Ledger should add a function to verify the transaction on the computer software on the transaction interface.
It should be noted that the above views are still the expert's speculative analysis based on the current clues, and the specific situation and truth still await further investigation reports from Bybit and Safe.
