GuShiio.com The Cobo security team conducted an in-depth analysis of the Bybit theft incident, revealed the deep-seated systemic problems exposed, and discussed how to build a security protection system that matches the size of assets in this fast-growing industry.
Recently, Bybit, the cryptocurrency exchange, suffered a major security incident that caused a loss of 1.5 billion dollars. What is shocking about this incident is not only the amount of loss, but also the way the attack reveals the fundamental flaws hidden in the current digital asset custody system.
According to the analysis of the Cobo security team, the problem revealed by this incident goes far beyond the superficial technical loophole. Today, when the scale of digital asset management has reached trillions of dollars, the traditional security thinking and protection system is facing unprecedented challenges. This requires us to make a comprehensive reflection and reconstruction from the security infrastructure to the security management process.
Attack process
On February 21, 2025, the cryptocurrency exchange Bybit suffered a well-orchestrated attack: a cold wallet operator saw a seemingly routine hot wallet transfer request on the Safe {Wallet} page. However, this seemingly normal operation actually hides the manipulation of the Safe {Wallet} implementation contract, resulting in the attacker gaining control of the entire cold wallet.
Blockchain analysis shows that the attack is related to the North Korean hacker organization Lazarus Group. This is another successful attack by the organization against the Safe {Wallet} platform recently. Earlier, Radiant Capital and WazirX suffered similar attacks in 2024, resulting in losses of $5000 and $235 million, respectively.
Exposed key loopholes
From the perspective of attack techniques, hackers make full use of the loopholes in many links, such as human-computer interface, hardware wallet display and risk control mechanism, showing an extremely professional attack level. The following is a detailed analysis of the main safety risks exposed by the accident:
The hot-end equipment was breached.
According to the latest report, the attacker successfully hacked into the Bybit operator’s device and tampered with the Safe {Wallet} front-end interface, resulting in:
& the interface seen by the middot; Bybit cold wallet operator does not match the actual signature content
& middot; transaction data was tampered with before reaching the hardware wallet
& middot; operator unknowingly approved malicious contract upgrade
For its part, Bybit said they performed regular operations on the Safe {Wallet} page and conducted all necessary reviews.
At the same time, Safe {Wallet} has confirmed that its investigation did not find that the Safe {Wallet} code base was compromised, the dependency package was implanted with malicious code, or the infrastructure was accessed without authorization. Although the user interface shows the correct transaction details, the final execution on the chain is a malicious transaction with a valid signature. This indicates that the problem may be caused by a security vulnerability on the Bybit side, rather than a problem with the Safe {Wallet} platform itself.
Hidden danger of blind signature of hardware wallet
Most current encryption hardware wallets have significant limitations when dealing with complex transactions:
& insufficient parsing ability of middot;: unable to fully parse and display detailed transaction data of multi-signature wallets such as Safe {Wallet}
& missing middot; verification mechanism: unable to verify whether the signature content is consistent with the front-end display content
& insufficient middot; risk warning: lack of clear warning mechanism for potentially dangerous operations.
These limitations cause operators to carry out “blind signature” operation, that is, authorization without fully understanding and verifying the actual content of the transaction. In the Bybit event, it was this weakness that was exploited by attackers to mislead operators into performing catastrophic authorization operations through a carefully constructed fake interface.
Lack of independent risk control measures
After the analysis, it is found that although Bybit has adopted the multi-signature mechanism, because multiple signatures rely on the same infrastructure and verification process, once one of the links is breached, the whole security system may be broken. This highlights the importance of building a multi-level defense system, especially the key role of the last line of defense. These seemingly basic measures that can be the last lifeline include:
& middot; setting address whitelist: only transfers to pre-authenticated addresses are allowed, which can effectively prevent funds from flowing to unknown addresses controlled by attackers.
& middot; hierarchical approval mechanism: initiate a more stringent manual review process for transactions exceeding a specific amount, and introduce independent teams for cross-verification
& middot; exception monitoring system: establish real-time monitoring of high-risk operations such as contract upgrade and permission change, and give early warning as soon as an exception is found.
& middot; cooling-off period: set an observation period of 24-48 hours for sensitive operations, setting aside time for finding and correcting errors.
Although these measures seem to reduce operational efficiency, they often become the last line of defense to defend the security of digital assets in the face of professional hacker attacks. As the attack proves, in the field of digital asset custody, it is better to prepare than not to cram temporarily.
Cobo Security Proposition: multi-level Security solution
To build a truly reliable system, security reinforcement needs to be implemented at multiple levels:
In the face of such professional attacks, a single security measure is obviously not enough, and the security of digital assets needs to establish a three-dimensional defense system. The Cobo expert team recommends starting from the following two dimensions:
Horizontal Enhancement measures (distributed Control):
Horizontal security enhancement emphasizes that through the introduction of multiple independent parties to manage and use the private key, using technical schemes such as MPC or multi-signature to achieve mutual checks and balances and avoid the risk of single point of failure.
The core of this scheme is not only to increase the number of signatories, but also to ensure the independence of the parties in the technical implementation. For example, the hardware wallets used by all parties, the operating software used, risk control checks, geographical distribution and so on should be independent.
In this incident, although Bybit introduced multiple signatories, most of the full links they used were provided by Safe {Wallet} & nbsp;. Once this scheme was breached or there was a problem, the whole multi-signature scheme was easily bypassed.
Vertical enhancements (enhance the security of each signer):
Vertical security enhancement emphasizes that each signatory should have complete and independent transaction verification capabilities. This means that each signatory needs to establish its own complete technology stack, including independent user interface, risk control system and private key management software and hardware equipment.
The problem of blind signing of hardware wallets exposed in the Bybit incident is precisely due to the lack of vertical capacity-building. If all signatories have complete transaction resolution and verification capabilities, this kind of security loophole can be effectively prevented. In addition, risk control rules such as blacklist and whitelist, manual confirmation or AI scanning can be introduced by signatories, which are also enhanced measures with high input and output in the vertical direction.
Cobo customized Security Scheme for Safe Multi-signature Wallet
The Bybit event not only exposes the specific operational loopholes, but also reveals the architectural defects of the current digital asset trusteeship system. These problems can not be solved by a single product or process, but require the entire industry to rethink and build from the underlying architecture. In order to establish a truly secure and reliable digital asset trusteeship system, we need to upgrade synchronously from three dimensions: hardware facilities, software architecture and interoperability standards.
1. Common signature mechanism of Safe wallet
The Bybit event exposes the fundamental defect of traditional multi-signature security-mdash;— has no independent transaction verification layer, and attackers can manipulate the interface, contract logic and transaction data to deceive the signer.
Cobo launched a co-signature service for Safe {Wallet}, which makes up for the security deficiency of the traditional multi-signature scheme by introducing an independent third-party verification mechanism.
Customers can delegate a signer right in Safe {Wallet} to Cobo hosting to obtain:
-enable the multi-party approval process
-equipped with independent risk control
-enforce strict transaction review rules, including:
& middot; transfer address blacklist and whitelist management
& middot; Intelligent contract Interactive address Control
& middot; parameter-level contract interactive access control.
This scheme is not to replace the existing hardware wallet + Safe {Wallet} multi-signature system, but as an independent security enhancement layer, it is complementary to the existing scheme. Because Cobo only holds a single signature authority, the customer always maintains the final control of the asset, which not only ensures the improvement of security, but also avoids the transfer of control of the asset.
This innovative security architecture can effectively prevent the occurrence of similar Bybit events and provide more reliable asset security for institutional customers.
two。 Promote cooperation among hardware wallet manufacturers to launch signature verification tools for hardware wallets
Traditional hardware wallets have deficiencies in showing transaction details, which makes users vulnerable to the risks of interface tampering, phishing attacks and blind signatures.
To meet these challenges, the encryption industry can introduce the following solutions:
& middot; decodes EIP-712 messages in Safe {Wallet} to ensure that transaction details are fully visible
& middot; provides real-time risk assessment without frequent firmware updates
Cobo is promoting deep cooperation with major hardware wallet manufacturers to build an independent third-party signature review channel on the basis of retaining its original security scheme. Specific implementations include:
& middot; deploys the Cobo signature verification tool to fully parse the data before signing the transaction
& middot; provides real-time transaction simulation
& middot; establishes a more secure and timely transaction review mechanism
3. Promote the establishment of an industry-level security ecology
The new generation of digital asset trusteeship system needs to establish unified industry standards, including transaction verification standards, security component interoperability standards and risk control evaluation system. At the same time, the open platform supports the access of third-party security services to form a complete security ecological chain. This standardized and open architecture design will greatly enhance the security protection capability of the whole industry.
The Future of Digital assets Security
In this case, hackers took advantage of seemingly minor operational vulnerabilities and caused 1.5 billion dollars in damage. However, this is not just a single point of protection negligence. In an industry that manages trillions of dollars in assets, hackers are so professional and motivated to attack that any tiny loophole can be magnified into a deadly threat.
This means that we need to fundamentally re-examine the system architecture of digital asset security and build a basic protection system:
& middot; horizontally breaks the current state that security modules are isolated from each other and builds a network that verifies and checks and balances each other.
& middot; vertically extends from a single operation to the entire business process, establishing a complete protection chain from the underlying infrastructure, the intermediate verification layer to the upper risk control. Each layer should be able to independently detect and block anomalies, forming multiple barriers.
This systematic thinking requires us to go beyond the simple multi-signature mechanism and establish a real multi-dimensional protection system. In this system, each transaction has to go through multi-layer independent verification, each operation must have a complete traceable record, and any anomalies should be found and disposed of in a timely manner.
Reading the original text
