Bybit security investigation reveals the truth: SAFE front-end cloud service was attacked, how to ensure the safety of hundreds of billions of assets carried by multi-signature wallets

avatar
TechFlow
02-27
This article is machine translated
Show original
On February 27, Bybit released a hacker forensics report, which directly pointed out that the theft of funds was caused by a vulnerability in the Safe infrastructure, but it seems that Safe is not willing to accept this accusation

Author: Frank, PANews

On February 21, 2025, the cryptocurrency exchange Bybit suffered an epic hacker attack, with $1.46 billion in assets stolen by the North Korean hacker group Lazarus. In addition to recovering the assets, it is more important to find out the attack path to prevent new attack incidents. On February 27, Bybit released a hacker forensics report, which directly pointed out that the theft of funds was caused by a vulnerability in the Safe infrastructure. However, it seems that Safe is not willing to accept this accusation. In the statement, it acknowledged that the developers were hacked, but attributed the main reason to the sophisticated methods of the North Korean hackers and Bybit's operational mistakes. In the discussion of who bears more responsibility, a "Rashomon" is played out, which has also triggered a major debate in the industry on the trust in infrastructure, security paradigms, and the human game.

The attack originated from the attack on the Safe{Wallet} front-end cloud service

According to the two investigation reports released by Bybit (Bybit Preliminary Incident Report and Bybit Interim Investigation Report), further analysis of the Safe{Wallet} resources found two JavaScript resource snapshots taken on February 19, 2025. Examination of these snapshots shows that the first snapshot contains the original, legitimate Safe{Wallet} code, while the second snapshot contains a resource with malicious JavaScript code. This indicates that the malicious code for creating fraudulent transactions directly originated from Safe{Wallet}'s AWS infrastructure.

Bybit Security Investigation Reveals: SAFE Front-end Cloud Service Attacked, How to Secure the Trillion-dollar Assets Carried by Multi-signature Wallets

The report's conclusion shows: Based on the investigation of Bybit's signer machines and the cached malicious JavaScript payload found in the Wayback Archive, we strongly conclude that the AWS S3 or CloudFront account/API keys of Safe.Global may have been compromised.

In simple terms, the initial source of this attack was that the hackers attacked the devices of the Safe{Wallet} developers, tampered with the front-end JavaScript files in the AWS S3 bucket, and planted targeted malicious code against Bybit's cold wallet addresses. Previously, Safe had also released a simple investigation report, stating that no code vulnerabilities and malicious dependencies (i.e., supply chain attacks) were found, and then Safe conducted a comprehensive review and temporarily suspended the Safe{Wallet} function. The results of this investigation seem to overturn Safe's previous investigation results.

Safe's evasive statement raises more questions

Bybit has not yet stated what responsibility Safe should bear in this incident, but after the report was released, there has been much discussion on social media about Safe's security vulnerabilities, and some believe that Safe should be held responsible and make compensation.

Safe's official attitude towards this report is obviously not recognized. In its official statement, Safe divided the responsibility into three levels: technically, it emphasized that the smart contracts were not attacked and emphasized the security of the product. In terms of operations, it acknowledged that the developer's device was hacked, leading to the leakage of the AWS key, but attributed it to the national-level attack by the North Korean hacker group. From the user's perspective, it suggested that users "remain vigilant when signing transactions", implying that Bybit did not fully verify the transaction data.

Bybit Security Investigation Reveals: SAFE Front-end Cloud Service Attacked, How to Secure the Trillion-dollar Assets Carried by Multi-signature Wallets

But this response seems to be evasive, and according to the process shown in the report, Safe has the following failures in this process:

1. Loss of control over permissions: The attacker gained AWS permissions by hacking into the developer's device, exposing that the Safe team did not implement the principle of minimum permissions. For example, a single developer could directly modify the production environment code, and there was no code change monitoring mechanism.

2. Dereliction of front-end security: Failure to enable basic protection measures such as SRI (Subresource Integrity).

3. Supply chain dependency risk: The attack path (developer's device → AWS → front-end code) proves that Safe is overly dependent on centralized cloud services, which conflicts with the decentralized security concept of blockchain.

In addition, the industry has also raised many questions about Safe's statement, with Binance founder CZ raising 5 technical questions (such as the specific way the developer's device was hacked, the reason for the loss of control over permissions, etc.), directly pointing out the lack of transparency in Safe's statement. Safe did not publicly disclose the details of the attack chain, making it impossible for the industry to defend against it in a targeted manner.

Token price rises strangely, daily active users drop by nearly 70%

Another major controversy in the community is whether Safe should compensate Bybit for the losses in this incident. Some users believe that it was Safe's infrastructure vulnerability that led to the attack, and Safe should be responsible for compensation. Some even suggest that Gnosis, the predecessor of Safe, should bear joint and several liability for compensation. Safe was originally developed as the Gnosis Safe multi-signature protocol by the Gnosis team in 2017, and was spun off from the Gnosis ecosystem and operated independently in 2022. Gnosis had raised 250,000 ETH through an ICO in 2017 and currently has 150,000 ETH in its treasury, making it a whale in the ETH ecosystem.

However, some also believe that the main responsibility in this incident is still on Bybit itself. On the one hand, Bybit, which manages tens of billions of assets in cold wallets, should have invested R&D resources to develop its own security infrastructure. On the other hand, Bybit seems to have used the free Safe service and did not pay a subscription fee, so Safe has no obligation to bear the responsibility from this perspective.

Bybit, the party involved, did not propose that Safe provide financial compensation after releasing the investigation report.

While the industry is still debating the attribution of responsibility, the capital market is staging an absurd drama. Safe's official token seems to have received special attention due to this incident, with the SAFE token rising from $0.44 to $0.69 on February 27, a maximum increase of about 58% in 10 hours. However, from an investment logic perspective, this incident has mainly produced a negative impact on Safe's brand, and the rise may only be due to short-term market sentiment.

Data on February 27 shows that Safe's total assets under management exceed $100 billion, and its silence on the vulnerability details is undermining its credibility as an industry infrastructure.

Bybit Security Investigation Reveals: SAFE Front-end Cloud Service Attacked, How to Secure the Trillion-dollar Assets Carried by Multi-signature Wallets

In terms of daily active user data, it can be clearly seen that Safe has suffered a significant impact after this incident, with the number of daily active addresses dropping from 1,200 on February 12 to 379 on February 27, a decrease of nearly 70%.

Bybit Security Investigation Reveals: SAFE Front-end Cloud Service Attacked, How to Secure the Trillion-dollar Assets Carried by Multi-signature WalletsIn addition, after the exposure of the centralization risk of the front-end, the community has once again focused on the security mechanism of the front-end. ICP founder Dominic Williams said that the recent successful theft of $1.5 billion from Bybit by the North Korean hacker group was mainly due to the vulnerability in the web interface of Safe{Wallet}, which is hosted in the cloud rather than on the smart contract. Williams criticized that some Web3 projects only run on "fake onchain", leading to security risks, and suggested that Safe{Wallet} migrate to ICP and adopt encrypted authentication and multi-party consensus governance (such as SNS DAO) to enhance security.

Looking back at the whole incident, it seems to be an isolated incident carefully planned by North Korean hackers, but it still exposes the security vulnerabilities in Safe's current multi-signature wallet in terms of permission design and supply chain. From the perspective of brand development, the hasty attempt to shirk responsibility in order to maintain the security myth has backfired, leading to more questioning from the public. Perhaps, if Safe can timely acknowledge its mistakes and take corresponding measures, it will better reflect the attitude of a giant in the crypto security field. At the same time, early disclosure of the vulnerability details can also help the industry strengthen self-examination and prevention of similar vulnerabilities.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Relevant content
Followin logo
loading indicator
Loading..