GuShiio.com & nbsp
Edit | GuShiio.com block chain
On the evening of February 21, Beijing time, Detective ZachXBT on the chain first disclosed that there was a suspicious capital outflow of more than 1.46 billion US dollars from Bybit, and mETH and stETH are currently being converted into ETH on DEX. To be sure, this has become the largest theft in the history of cryptocurrency (in terms of the amount at that time).
Conor Grogan, director of Coinbase, said that the North Korean hacker attack on Bybit was the largest hacker theft in history (higher than the theft of the Central Bank of Iraq, worth about $1 billion) and was about 10 times the amount of DAO hacking in 2016 (but a much higher percentage of supply). There are expected to be some calls for etheric forking. (the amount here is calculated based on the value at the time of the theft)
Arkham tweeted that ZachXBT, an analyst on the chain, provided conclusive evidence that Bybit’s $1.5 billion hacker attack was carried out by Lazarus Group, a North Korean-backed hacker group. His submission includes a detailed analysis of test transactions, associated wallets, forensic charts and time analysis. Relevant information has been shared with Bybit to assist in its investigation.
Bybit CEO BEN tweeted that about an hour ago, Bybit ETH multi-signature cold wallet had just transferred money to our hot wallet. It seems that the transaction was bogus, and all the signers saw the fake UI, which showed the correct address, URL from SAFE. However, the signature message is to change the smart contract logic of our ETH cold wallet. This causes the hacker to take control of the specific ETH cold wallet we signed and transfer all the ETH in the cold wallet to this unrecognized address. Please rest assured that all other cold wallets are safe. All withdrawals are normal. I will keep you informed of more progress, and if there is any team that can help us track the stolen funds, we will be invincible. Bybit hot wallets, warm wallets and all other cold wallets are fine. The only cold wallet hacked by hackers is the ETH cold wallet. All withdrawals are normal.
Bybit’s official Twitter said Bybit detected unauthorized activity involving one of our ETH cold wallets. When the event occurred, our ETH multi-signature cold wallet performed a transfer to our hot wallet. Unfortunately, the transaction was manipulated through a complex attack that masked the signature interface, displayed the correct address, and changed the underlying intelligent contract logic. As a result, an attacker can control the affected ETH cold wallet and transfer its assets to an unrecognized address. Our security team actively investigated this incident with leading blockchain forensics experts and partners. Any team that has expertise in blockchain analysis and fund recovery and can help track these assets is welcome to cooperate with us. We want to assure our users and partners that all other Bybit cold wallets are completely safe. All customer funds are safe, and our operations will proceed as usual without interruption. Transparency and security remain our top priorities, and we will provide updates as soon as possible.
Bybit said that all other Bybit cold wallets are safe, customer funds are not affected and remain safe. We understand that the current situation has led to a surge in withdrawals. Although such a high number may cause delays, all withdrawals are under normal processing. Bybit has enough assets to make up for losses, has assets under management of more than $20 billion, and will use bridge loans if necessary to ensure the availability of user funds.
Conor Grogan, director of Coinbase, tweeted that Binance and Bitget had just deposited more than 50000 ETH directly into Bybit’s cold wallet, of which Bitget’s deposits were particularly eye-catching, accounting for 1/4 of all ETH on the exchange. By skipping the deposit address, the funds are clearly co-ordinated by the Bybit itself. Bybit CEO Ben Zhou said: thanks to Bitget to lend a helping hand at the moment, Binance and several other partners we are communicating, this money has nothing to do with Yuan an official.
Bitget CEO Gracy said that Bybit is a respected competitor and partner, although the loss is large, but that is their profit for a year, I believe that customer money is 100% safe, there is no need for panic and run. In addition, Gracy said that the assets lent to Bybit are Bitget’s own assets, not users’ assets.
The slow Fog team posted some details, and the attacker deployed a malicious implementation contract, and then the attacker replaced the Safe implementation contract with a malicious contract through a transaction signed by three owners, using the backdoor functions of sweepETH and sweepERC20 in the malicious contract to empty the hot wallet funds.
Dilation Effect analysis pointed out that compared with previous similar events, only one signer was needed to complete the attack in the Bybit event, because the attacker used a & ldquo; social worker & rdquo; skill. Analyzing the transaction on the chain, we can see that the attacker executes the transfer function of a malicious contract through delegatecall, and the transfer code modifies the value of slot 0 with the SSTORE instruction, thus changing the address of the Bybit cold wallet multi-signing contract to the attacker’s address. Just take care of the person / device that initiated the multi-signature deal, and the next few reviewers will be much less vigilant when they see the transfer. Because normal people thought it was a transfer when they saw transfer, but who knew it was changing the contract.
Chainlink data show that after the disclosure of the Bybit security incident, USDe flashed to $0.965 and pulled back to $0.99. Bybit integrates perpetual contracts in which USDe can be used as collateral assets to trade all assets in the exchange’s UTA. Ethena_labs said in a post that they have been monitoring what is happening in Bybit and will continue to monitor progress. All spot assets that support USDe are stored in over-the-counter hosting solutions, including cooperation with Bybit through Copper Clearloop. At present, there are no spot assets on any exchange. The total amount of unrealized PNL related to Bybit hedging positions is less than $30 million, less than half that of reserve funds. USDe currently maintains more than full mortgages and will provide updates based on the latest information.
CZ, co-founder of Yuan’an, replied that this is not an easy situation to deal with and may recommend suspending all withdrawals as a standard safety precaution and will provide any help if necessary. He Yi expressed his willingness to help.
Safe’s security team responded that it was working closely with Bybit to conduct an ongoing investigation. There is no evidence that the official Safe front end has been breached, but out of caution, Safe Wallet temporarily suspended some functions. Slow fog cosine said that similar to the previous Radiant Capital case, it may also have been stolen by North Korean hackers. Radiant Capital said a $50 million attack in October, involving complex identity forgery and multi-level phishing attacks, was linked to North Korean hacker groups. The attacker pretended to be a former contractor and obtained sensitive credentials by means of social engineering, so as to invade the protocol system to carry out attacks.
Security analysts believe that this is similar to WazirX and Radiant, where the signer’s computer or intermediate interface is attacked by a hacker for the following possible reasons: the hacker implants a virus in the signer’s computer / browser, replaces the transaction with a malicious transaction, and then sends it to the hardware wallet. This virus could be located on any part of the stack (for example, malicious extension, wallet communication & hellip;…)-the security interface was hacked and it showed a transaction, but sent another transaction to the wallet, but the end result was that the signer saw an innocent transaction in the security interface, but in fact the malicious transaction was sent to their wallet, and we can’t be sure until a full post-mortem analysis is released.
OneKey said that there is a good chance that hackers have confirmed that Bybit’s three-digit multi-signed computers have been hacked, have the conditions to attack, and are waiting for them to operate. Next, when the multi-signing staff performs signature operations such as daily money transfers, the hacker replaces the signature content. The staff looked on the web page and thought it was a normal transaction such as & mdash; & mdash;, but they didn’t realize that it had been changed to a transaction of “replacing a safe contract upgrade with a previously deployed malicious contract”. Therefore, the tragedy happened. Malicious contracts with back doors were easily withdrawn by hackers.
Bybit said it will not buy ETH right away, but will rely on partners to provide bridge loans. It will ensure that all users can withdraw cash, but because the traffic is 100 times higher than usual, it will take some time to process, as well as some risk identification for large withdrawals.
Dilation Effect pointed out that the mechanism of ordinary hardware wallet with Safe multi-signature has long been unable to meet the security management needs of large funds. If the attacker is patient enough to handle multiple signatories, there will be no other measures to further ensure security throughout the operation. The institutional trusteeship scheme must be used in the security management of large funds.
According to DeFiLlama, Bybit’s total outflow in nearly 24 hours, including hacked funds, is $2.399 billion. Currently, more than $14 billion of verifiable assets are on the platform chain, of which Bitcoin and USDT account for nearly 70 per cent. The Bybit notice said it had reported the case to the relevant authorities and would provide updates when more information was available. In addition, cooperation with analysis providers on the chain has helped identify and separate relevant addresses and is designed to reduce the ability of malicious actors to dispose of ETH through legitimate markets.
This incident may trigger a discussion about the bifurcation of Etay Fong. Conor Grogan said that although he thought the call for bifurcations was too radical, he expected a real debate on the issue. Arthur Hayes said that as an investor with a large stake in Ethernet Fong, he believes that Ethernet Fong has ceased to be the ldquo; currency & rdquo; since the hard bifurcation of the DAO hacking in 2016. He said that if the community decided to roll back again, he would support the decision because the community had already voted against immutability in 2016, so why not do it again
