The $1.4 billion hack of the Bybit exchange is a natural thunderclap. First, the amount of stolen cryptocurrency is staggering in scope. Secondly, the security systems of large CEX platforms are considered to be quite reliable and elaborate, but it seems that this is not the case.
Entire companies (Arkham) and individual experts (ZachXBT) are looking for signs of outside influence and the path of funds to find out who the funds will lead to. In the meantime, anonymous security expert Dexaran, author of ERC-223 and head of Ethereum Commonwealth, has looked deeper into the attack itself and revealed that the defense mechanism wasn’t really that robust, and that someone inside Bybit could conceivably be involved in the hack.
Multisig has proven to be unreliable.
The vast majority of exchanges use multisig wallets to store assets. In fact, it is a special smart contract that can only be acted upon if the persons involved in the management approve the proposed action with their signatures. Such smart contracts can be updatable, i.e. have a bundle of a proxy contract that stores data and an implementation contract – the logic to be executed.
Dexaran in one of his posts gives the address of the proxy contract of the attacked Bybit cold wallet using Gnosis Safe as the implementation contract, rightly noting that it is a rather complex contract of 1080 lines. It may well be that the Bybit team never utilized the full functionality of Gnosis Safe. Most likely, the choice of a smart multi-signature contract was influenced by the widespread adoption of Gnosis Safe. In the meantime, complexity often leads to redundancy and misunderstanding of code behavior in complex situations, one can recall the incorrect user interaction with Gnosis Safe and the loss of $25 million.
The Achilles’ heel of the multisig used turned out to be signatures, or rather, how and with what help they are generated. As Dexaran notes, signatures are very complex and unreadable by humans, which means that most likely software is used to generate them, and the process itself is the same for all participants, the researcher suggests.
That’s why other members of the Bybit team didn’t suspect anything, because everything looked as usual, and they couldn’t read the substitution of Bybit’s hot wallet for the hacker’s wallet because of the complexity of the signature provided by the hacker.
There is no reason not to trust Dexaran’s expertise. He has extensive experience auditing smart contracts since the Ethereum split. He audited the multisig wallet for Ethereum Classic, developed the ERC-223 standard and the smart contract communication model to solve the ERC-20 problem.
Why would a hacker be inside Bybit? Sure, the Gnosis Safe contract and the proxy contract are verified in the Etherscan block browser, anyone can read the code, the hacker could just be a smart guy. However, the fact that he clearly knows how signatures are generated is either a rare coincidence and a lucky break for the hacker, or he simply knows the inner workings of Bybit’s security system from his direct job duties or from an informant. In addition, the hacker didn’t just walk by, he deployed two copies of the target contract for practice the day before.
Hacker trails
A researcher under the nickname ZachXBT traced the flow of funds to an address that accumulated funds from the Phemex hack. This fact is taken as proof of Lazarus Group involvement in the Bybit hack. Considering that a hacker or group of hackers was crushing the funds and withdrawing them through various bridges and mixers, the researcher has done a Herculean task.
In turn, Dexaran draws attention to the chain of addresses, through which the hacker’s addresses were replenished to pay for gas for calls to test contracts and send a transaction with a signature to withdraw funds from the exchange’s cold wallet. It turns out the hacker funded his addresses through the Binance exchange. Binance is fully compliant with KYC/AML policies and is quite willing to work with various law enforcement agencies. Of course, hackers use the so-called “money mule”, but it’s still a clue when an exchange cooperates with law enforcement.
As soon as it became known that the exchange had been hacked and an astronomical amount of ETH had been withdrawn, the market experienced selling pressure. Traders obviously rushed to hedge their bets believing that hackers would cash out the stolen money.
CoinMarketCap
After the opening of withdrawals from the exchange, users also rushed to withdraw their funds, resulting in an outflow of $5.3 billion (DeFi Llama).
Various companies have gotten involved in tagging stolen funds and limiting the ability for hackers to use different platforms to mix and transfer funds between blockchains. Tether – the issuer of USDt – block hackers’ funds (Paolo Ardoino).
However, not everyone is moving in unison. Cryptomixer eXch has refused to cooperate with the exchange.
“In light of these circumstances, we would like an explanation as to why we should partner with an organization that has actively defamed our reputation,” eXch wrote in a response posted on the Bitcointalk forum.
Amazingly, there are people calling for a rollback of the Ethereum blockchain to recover Bybit funds,
one of them Jan3 CEO Samson Mow.
These calls sound a bit strange, when ordinary users who lose their funds are accused of negligence. It’s not uncommon for users to mistakenly send funds to the exchange from the wrong EVM network, and all the exchange needs to do is use a public node to send the user’s funds back, but in 99.9% of cases they refuse. Plus Bybit has assured that it has enough reserves to cover all losses.
These people unknowingly call for burying all the efforts made by the blockchain industry by completely abolishing decentralization, thus reducing the very value of public blockchain technology to 0.
Fortunately, the developers of Ethereum themselves are against such a move, and have more than justified their position.
for example, kernel developer Tim Beiko.
And they have enough supporters on this issue advocating decentralization and cryptopunk philosophy,
such as Justin Bons.
Bybit itself launched a bounty program, thus announcing a hunt for hackers involved in the hack.
Conclusion
The community is used to periodic hacks of DeFi protocols. On these platforms developers often neglect testing procedures and audits, choose modules whose code and logic they don’t fully know. All in favor of development speed and fear of missing the wave. That’s why CEX hack, especially a large one, is always a high-profile event that leaves a lasting impression on the whole industry.
Developers at all levels should not forget that the race of defense mechanisms and hacking tools is non-stop and should be on guard.
