Original | Odaily Planet Daily (@OdailyChina)
Last night, Bybit co-founder and CEO Ben Zhou posted on X platform a hacker forensic report provided by Sygnia and Verichains, which disclosed that the stolen funds were due to vulnerabilities in the Safe infrastructure. Additionally, malicious code was deployed at 15:29:25 UTC on February 19, specifically targeting Bybit's Ethereum multi-signature cold wallet. Following this news, SAFE briefly dropped over 10%, with the price starting from $0.5 and briefly falling below $0.44.
Next, Odaily Planet Daily summarizes the response from the Safe team and community opinions after Bybit pointed out vulnerabilities in Safe.
Introduction to the Safe Project
Safe was originally known as Gnosis Safe, and the project initially served as a multi-signature tool for the Gnosis team to manage ICO funds. However, the team later decided to promote this internal tool as a public service.
With the project's development and the evolution of industry narratives (especially the rise of the account abstraction concept), Safe has transformed from a simple multi-signature tool into a modular smart contract account infrastructure, aiming to gradually replace the current mainstream Externally Owned Accounts (EoA) with default smart contract accounts, laying the foundation for further cryptocurrency adoption.
Safe's publicly disclosed funding history includes only one round. In July 2022, Safe announced the completion of a $100 million strategic financing round, led by 1kx, with participation from Tiger Global, A&T Capital, Blockchain Capital, Digital Currency Group, IOSG Ventures, Greenfield One, Rockaway Blockchain Fund, ParaFi, Lightspeed, Polymorphic Capital, Superscrypt, and over 50 other strategic partners and industry experts _ (the lineup of that year's top talents) _.
Safe's official response to the Bybit hacker forensic report: No vulnerabilities in contracts and front-end code
In response to the Bybit hacker forensic report, the Safe{Wallet} team conducted a detailed investigation at the first opportunity, analyzing the targeted attack by the Lazarus Group on Bybit _ (the Lazarus Group, also known as "Guardians" or "Peace or Whois Team," is a hacker organization composed of an unknown number of individuals, allegedly controlled by the North Korean government. Although little is known about the organization, researchers have attributed multiple cyberattacks to them since 2010) _.
The theft of Bybit's funds was due to the compromise of developer machines, and there were no vulnerabilities in the contracts or front-end code. The team confirmed that the attack was not executed through vulnerabilities in the Safe smart contract or front-end code, but rather through the infection of Safe{Wallet} developers' machines, which initiated disguised malicious transactions. Forensic analysis by external security experts found no security issues at the system or contract level, indicating that the root cause of the attack lay in the security vulnerabilities of the developer machines.
After the incident, Safe{Wallet} took comprehensive countermeasures, rebuilt all infrastructure, updated credentials, and completely eliminated the attack vector. Currently, Safe{Wallet} has resumed normal operations on the Ethereum mainnet, adopting a phased rollout approach to ensure system security. Meanwhile, the Safe{Wallet} team will continue to promote transaction verifiability and is committed to enhancing Web3 security and industry transparency. Although the Safe{Wallet} front-end is operating normally and has implemented additional security measures, the team still reminds users to exercise extra caution when signing transactions and to remain highly vigilant.
However, the incident report released by Safe has not been widely accepted. The vague wording in the report is seen as obscuring the core issues, as Binance co-founder CZ stated on the X platform, "While I usually do not criticize other industry participants, several issues in the report were not clearly explained, leaving more questions than answers after reading."
Details on why the Safe front-end was tampered with still need to be disclosed
“The Safe brand currently only lives up to the smart contract part.” Yu Xian from Slow Mist stated on the X platform, “Safe was ultimately breached; indeed, the smart contract part is fine (easily verifiable on-chain), but the front-end was tampered with and forged to achieve a deceptive effect. As for why it was tampered with, we await details from Safe's official disclosure.”
“Afraid of alarming the snake, so just guarding this big fat rabbit, Bybit.”
Safe can be considered a type of security infrastructure, and many people have used problematic versions. Theoretically, all users of this multi-signature wallet could be stolen like Bybit, but since they are not Bybit, it did not trigger. Therefore, all other services with front-ends, APIs, and user interaction could have this risk, which is also a classic supply chain attack. Perhaps the security management model for large/huge assets needs a significant upgrade.
Additionally, community members pointed out that with only two months left until the investors unlock their funds, the current negative impact has intensified the time pressure faced by Safe, and whether it can overcome this challenge remains uncertain.
Summary
In this incident, the vulnerabilities of Safe exposed several key issues in the Web3 security field, sounding an alarm for the entire industry.
First, managing the complexity of smart contracts is crucial, especially in applications with complex functions like multi-signature wallets. Although the original design of multi-signature wallets was to enhance security, complex functions like delegatecall, if not managed properly, can lead to potential security vulnerabilities. Therefore, smart contracts must undergo rigorous audits and thorough testing to ensure no vulnerabilities are overlooked.
Second, the importance of front-end verification cannot be ignored. Hackers implemented attacks by tampering with the front-end interface, resulting in the loss of user assets, which exposed the weak points in front-end anti-tampering measures. To prevent such attacks, it is essential to strengthen the verification mechanisms of user interfaces, ensuring that every step can effectively identify malicious disguises and avoid misleading users when signing transactions.
Finally, comprehensive permission control and real-time risk scanning are key to preventing similar incidents from occurring again. The lack of detailed permission management and real-time monitoring systems allowed attackers to easily breach defenses and execute malicious operations. Therefore, when designing and implementing smart contracts, it is necessary to introduce multi-confirmation mechanisms, provide additional protection for high-risk operations, and enhance real-time risk monitoring to promptly identify and address potential threats.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
