The next hacker-themed movie may be based on the $150 million Bybit and Safe hacking incident. The hacking technique was flawless, and no traces have been found so far.
After a week of investigation by various parties, the latest progress has been provided by the official Safe, Bybit, and security companies. BlockBeats summarized the investigation results in the simplest language, revealing the first-hand situation of the incident:
1. Code is fine: The front-end code of Safe is open-source, and there are no issues at the code level. It was the security of Safe's servers that was attacked.
2. There is an "insider": Specifically, the code actually deployed in the production environment is inconsistent with what is shown in the open-source repository, which means that someone has replaced the code or inserted malicious code during the deployment process.
3. The identity of the "insider" is unknown: Not all developers have the authority to deploy production environment code, and the person capable of such deep-level operations must have a high degree of trust. This "insider" could be a long-trusted developer or a team member who has obtained sufficient permissions. The attacker has hidden their tracks for a long time, and Safe has reviewed the historical transactions but has not found any abnormalities or the attacker's traces, calling on the community and users to assist in the investigation.
In addition, Safe has not mentioned helping with compensation, only talking about some follow-up upgrade plans, and reminding everyone to remain rational and not believe those who are trying to market their so-called "advanced multi-signature", "semi-custodial", "MPC", and other products using this hacking incident, as these products may actually expand the attack surface.
In fact, this is not the first theft incident for Safe's multi-signature. The modus operandi is very similar to the Radiant Capital theft incident in October last year, where the hacker also infected the core developer's device with malware, causing the developer to mistakenly believe the transaction was legitimate when they were actually executing a malicious transaction in the background.
Safe can affect half of the crypto world
Why is this incident so widely concerned? The reason is that Safe is the most popular multi-signature wallet in the Ethereum ecosystem.
When Safe issued tokens last year, the top 100 airdrop addresses were almost all project parties, institutions, and whales. In other words, the security of Safe can affect half of the crypto world.
As shown in the figure, well-known names include Metamask, PleasrDao, Aave, 1inch, Lido, and so on.
At the same time, in this cycle, traditional finance, traditional institutions, family funds, and old money are accelerating their entry, but the crypto threshold is high, and many people have chosen the relatively safer multi-signature wallet Safe to protect their funds on-chain.
For example, the most representative is the DeFi team of Trump.
According to a Safe guardian, there are two simple ways to judge whether a on-chain address is a Safe wallet address: one is the "MultiSig" multi-signature displayed on Arkham, and the other is the "MultiSig:Safe" directly displayed under the address on the Debank page. As shown in the figure, Trump's DeFi project World Liberity Fi is indeed using a multi-signature wallet.
In other words, any security vulnerability in Safe could trigger a huge chain reaction and butterfly effect.
The top-tier security infrastructure in the crypto world can also have incidents
The Safe project is basically the ceiling project in the Ethereum ecosystem, incubated by the Gnosis team.
Gnosis Chain, which was relatively well-known in the last cycle, is an Ethereum sidechain focused on building efficient and secure decentralized applications. According to defillama data, as of the time of writing, the total value locked (TVL) of Gnosis Chain is $200 million, with a peak of $350 million.
In fact, the story of the Gnosis ecosystem and incubator can be traced back to 2015.
Compared to the now well-known Polymarket, Gnosis co-founder Martin Koeppelmann started researching decentralized prediction markets much earlier. In 2015, he published his thoughts on combining MarketMaker and OrderBook on his own forum, which was one of the earliest decentralized prediction market concepts.
Martin Koeppelmann was also one of the earliest Ethereum developers, joining even before the TheDAO era, and was in close contact with Vitalik, who was in the Berlin office at the time, due to his long-term residence in Berlin.
Over the years, he has been actively involved in many discussions in the Ethereum development community, often discussing issues such as L2, ZK, and the Ethereum roadmap with Vitalik. From the evaluations of Martin on social media, one can also see his level of integration into the community.
Based on this technical accumulation, Gnosis has gradually developed a complete ecosystem. From the Gnosis Protocol to CowSwap, Martin and his team have further derived products such as Gnosis Chain, Safe, and Gnosis Pay.
Has the bear market signal been triggered?
The wide impact of the Safe security incident has indeed caused a lot of panic and pessimism in the crypto community. According to Alternative.me data, the crypto fear and greed index fell to 10 today, a new low since July 2022, and the market remains in a state of extreme fear.
Many community members suspect that multi-signature may be just a "covering one's ears to steal a bell" decoration.
There are also many industry practitioners who have reflected and expressed concerns about the industry: "If even multi-signature wallets are not secure, then who will take this industry seriously and trust it? Has the crypto industry really become a hacker's playground?"
Looking back at history, the end of each crypto bull market has often been accompanied by major security and trust crises.
For example, the early Doonguan incident led to the theft of a large amount of crypto assets, becoming one of the most famous hacking incidents in the history of the crypto industry; the end of the last bull market started with the collapse of FTX due to a bank run and the Terra crash, which severely impacted the confidence of investors across the industry.
So, what will end this bull market? Pessimistically, the Safe security incident may be one of the "signals" of the end of this bull market.
