GuShiio.com According to ZachXBT, suspicious capital outflows of more than US $1.46 billion have been monitored from Bybit, and mETH and stETH are currently being converted into ETH on DEX.
GuShiio.com learned that Bybit CEO Ben Zhou tweeted that its ETH multi-signature cold wallet had an abnormal transfer about an hour ago, and the hackers used fake UI to induce the signer to execute the transaction, and the signature information actually changed the intelligent contract logic of the cold wallet, resulting in the transfer of ETH assets to an unidentified address. At present, Bybit other cold wallets are safe, and all withdrawals are carried out normally. Bybit is tracking the stolen funds and has called on the security team to assist in the investigation.
Slow fog cosine said that the core reason is that Safe multi-signature was broken, similar to the previous Radiant Capital case, may also be stolen by North Korean hackers.
Bybit officials say unauthorized activities involving one of our ETH cold wallets have been detected. When the event occurred, our ETH multi-signature cold wallet performed a transfer to our hot wallet. Unfortunately, the transaction was manipulated through a complex attack that masked the signature interface, displayed the correct address, and changed the underlying intelligent contract logic. As a result, an attacker can control the affected ETH cold wallet and transfer its assets to an unrecognized address. We want to assure our users and partners that all other Bybit cold wallets are completely safe. All customer funds are safe, and our operations will proceed as usual without interruption. Our security team actively investigated this incident with leading blockchain forensics experts and partners. Any team that has expertise in blockchain analysis and fund recovery and can help track these assets is welcome to cooperate with us.
GuShiio.com learned that Chainlink data showed that after the disclosure of the Bybit security incident, USDe flashed to $0.965 and pulled back to $0.99. Bybit integrates perpetual contracts in which USDe can be used as collateral assets to trade all assets in the exchange’s UTA.
Bybit CEO BEN said that Bybit is solvent, even if the hacker losses can not be recovered, all customer assets are 1: 1 support, we can make up for the losses.
Ethena_labs said in a post that they have been monitoring what is happening in Bybit and will continue to monitor progress. All spot assets that support USDe are stored in over-the-counter hosting solutions, including cooperation with Bybit through Copper Clearloop. At present, there are no spot assets on any exchange. The total amount of unrealized PNL related to Bybit hedging positions is less than $30 million, less than half that of reserve funds. USDe currently maintains more than full mortgages and will provide updates based on the latest information.
CZ, co-founder of Yuan’an, replied that this is not an easy situation to deal with and may recommend suspending all withdrawals as a standard safety precaution and will provide any help if necessary. He Yi expressed his willingness to help.
The slow Fog team posted some details, and the attacker deployed a malicious implementation contract, and then the attacker replaced the Safe implementation contract with a malicious contract through a transaction signed by three owners, using the backdoor functions of sweepETH and sweepERC20 in the malicious contract to empty the hot wallet funds.
Safe’s security team responded that it was working closely with Bybit to conduct an ongoing investigation. There is no evidence that the official Safe front end has been breached, but out of caution, Safe Wallet temporarily suspended some functions.
Orderly Network, the multi-chain decentralized trading protocol, responded to the hacker attack on Bybit that Orderly would temporarily suspend Mantle’s deposit business because of the massive transfer of funds.
Ethena_labs posted a message in support of Bybit, saying that at present, the $2 billion mobile stable currency is supported by USDe and can be redeemed at any time. The relevant information can be viewed on the transparency dashboard. The USDe exchange is operating normally, and the team keeps in touch with Bybit and stands ready to help. Meanwhile, Bybit’s unrealized PNL exposure has fallen to zero.
Bybit CEO BEN said in the live broadcast that it will ensure that all users can withdraw cash, but because the traffic is 100 times higher than usual, it will take some time to process, as well as some risk identification for large withdrawals. Bybit will not buy ETH right away, but will rely on partners to provide bridge loans.
Dilation Effect pointed out that the mechanism of ordinary hardware wallet with Safe multi-signature has long been unable to meet the security management needs of large funds. If the attacker is patient enough to handle multiple signatories, there will be no other measures to further ensure security throughout the operation. The institutional trusteeship scheme must be used in the security management of large funds.
Dilation Effect analysis pointed out that compared with previous similar events, only one signer was needed to complete the attack in the Bybit event, because the attacker used a & ldquo; social worker & rdquo; skill. Analyzing the transaction on the chain, we can see that the attacker executes the transfer function of a malicious contract through delegatecall, and the transfer code modifies the value of slot 0 with the SSTORE instruction, thus changing the address of the Bybit cold wallet multi-signing contract to the attacker’s address. Just take care of the person / device that initiated the multi-signature deal, and the next few reviewers will be much less vigilant when they see the transfer. Because normal people thought it was a transfer when they saw transfer, but who knew it was changing the contract.
The Bybit announcement said 70 per cent of outstanding requests had been processed. Due to the large transaction volume, there may be some delays, but this will not affect your ability to withdraw funds, all withdrawals are in normal processing, the coins will not stop; Bybit has enough assets to make up for losses, has assets under management of more than US $20 billion, and will use bridge loans if necessary to ensure the availability of user funds.
GuShiio.com learned that Conor Grogan, director of Coinbase, tweeted that Binance and Bitget had just deposited more than 50000 ETH directly into Bybit’s cold wallet, of which Bitget’s deposits were particularly eye-catching, accounting for 1/4 of all ETH on the exchange. By skipping the deposit address, the funds are clearly co-ordinated by the Bybit itself. Bybit CEO Ben Zhou said: thanks to Bitget to lend a helping hand at the moment, Binance and several other partners we are communicating, this money has nothing to do with Yuan an official.
GuShiio.com learned that Arkham tweeted that ZachXBT, an analyst on the chain, provided conclusive evidence that the hacker attack on Bybit was carried out by Lazarus Group, a North Korean-backed hacker group. His submission includes a detailed analysis of test transactions, associated wallets, forensic charts and time analysis. Relevant information has been shared with Bybit to assist in its investigation.
The Bybit notice said it had reported the case to the relevant authorities and would provide updates when more information was available. In addition, cooperation with analysis providers on the chain has helped identify and separate relevant addresses and is designed to reduce the ability of malicious actors to dispose of ETH through legitimate markets.
GuShiio.com learned that Bybit’s total outflow in nearly 24 hours, including hacked funds, was $2.399 billion, according to DeFiLlama data. Currently, more than $14 billion of verifiable assets are on the platform chain, of which Bitcoin and USDT account for nearly 70 per cent.
GuShiio.com learned that Coinbase director Conor Grogan tweeted that Bybit’s NK hacking became the largest theft in history, surpassing the theft of the Central Bank of Iraq (about $1 billion). The value of the incident is about 10 times that of the DAO hacking in 2016, although DAO hackers account for a higher proportion of the supply (15 per cent vs. lt;0.5%). This incident may trigger a discussion about the bifurcation of Etay Fong. Conor Grogan said that although he thought the call for bifurcations was too radical, he expected a real debate on the issue. Arthur Hayes said that as an investor with a large stake in Ethernet Fong, he believes that Ethernet Fong has ceased to be the ldquo; currency & rdquo; since the hard bifurcation of the DAO hacking in 2016. He said that if the community decided to roll back again, he would support the decision, because the community had already voted against immutability in 2016, so why not do it again?
Bitget CEO Gracy said that Bybit is a respected competitor and partner, although the loss is large, but that is their profit for a year, I believe that customer money is 100% safe, there is no need for panic and run. In addition, Gracy said that the assets lent to Bybit are Bitget’s own assets, not users’ assets.
Reading the original text
