Full Report
Research by Dikla Barda, Roman Ziakin and Oded Vanunu On February 21st, Check Point Blockchain Threat Intel System alerted on a critical attack log on the Ethereum blockchain network. The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that […] The post The Bybit Incident: When Research Meets Reality appeared first on Check Point Research.
Analysis Summary
# Incident Report: Bybit Cold Wallet State-Deterring Theft via UI Manipulation
## Executive Summary
Hackers successfully stole approximately $1.5 billion in digital assets, primarily Ethereum tokens, from a Bybit cold wallet by tricking multisig signers into executing malicious transactions via sophisticated User Interface (UI) manipulation and social engineering. The breach bypassed standard smart contract protections, proving that the human factor and deception in transaction interfaces represent a critical, exploitable vulnerability in even the most robust multisig setups.
## Incident Details
- Discovery Date: February 21st (Alerted by Check Point Blockchain Threat Intel System)
- Incident Date: Prior to February 21st (The theft culminated in the recorded transaction)
- Affected Organization: Bybit
- Sector: Digital Asset Exchange / Cryptocurrency
- Geography: Ethereum Blockchain Network
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but tied to when signers were tricked.
- Vector: Social Engineering/UI Manipulation targeting multisig signers.
- Details: Attackers identified multisig signers and presumably used malware, phishing, or supply-chain compromise to gain access to their devices/environment.
### Lateral Movement
- Details: Not explicitly detailed as internal network lateral movement, but the attack focused on compromising the authority of the signers to authorize the malicious transaction on the Gnosis Safe multisig contract.
### Data Exfiltration/Impact
- Details: Attackers executed a `delegatecall` to their malicious contract (`0x47666fab8bd0ac7003bce3f5c3585383f09486e2`), which then utilized compromised storage slots (specifically overwriting `SLOT[0]` containing the `_transfer` address) via delegate execution within the context of the Safe contract. This resulted in the transfer and theft of over $1 billion in assets, including approximately 400,000 ETH.
### Detection & Response
- Detection: Detected in real-time by Check Point Blockchain Threat Intel System on February 21st due to AI engine identifying an anomaly in the transaction log.
- Response Actions: (Not explicitly detailed beyond the detection mechanism, focusing on the immediate fallout/analysis of the exploit itself.)
## Attack Methodology
- Initial Access: Malware, phishing, or supply-chain compromise leading to device access for multisig signers.
- Persistence: Gained through the authorized state of the executed malicious transaction that was approved by the compromised signer.
- Privilege Escalation: Not explicitly applicable in the traditional sense; the goal was authorized execution through stolen signer authority.
- Defense Evasion: Bypassed standard smart contract vulnerability checks by exploiting Gnosis Safe's reliance on externally provided signatures and manipulating the UI presented to the human signer.
- Credential Access: Implied access/control over the signer's environment, enabling them to sign unauthorized transactions.
- Discovery: Attackers identified key multisig signers for the target wallet.
- Lateral Movement: Execution utilized `delegatecall` logic to run malicious code within the context of the legitimate Safe contract.
- Collection: Manipulation of the contract state to redirect all subsequent delegation authority to the attacker’s contract.
- Exfiltration: Execution of "Sweep functions" within the attacker's contract via delegation to transfer the funds.
- Impact: Theft of over $1 billion in cryptocurrency assets.
## Impact Assessment
- Financial: Theft of approximately $1.5 billion worth of digital assets (400,000 ETH noted).
- Data Breach: Theft of high-value digital assets. No mention of standard PII/customer data breach.
- Operational: Significant operational disruption due to the massive loss of reserved digital assets.
- Reputational: Major negative impact, challenging industry beliefs about the infallibility of multisig cold storage.
## Indicators of Compromise
- Attacker Wallet/Executor: `0x47666fab8bd0ac7003bce3f5c3585383f09486e2`
- Malicious Contract Address (Delegate Target): `0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516`
- Protocol Misuse: Exploitation of the Gnosis Safe `execTransaction` function relying on externally generated signatures.
- Behavioral indicators: Execution of unauthorized `delegatecall` resulting in state overwrites in SLOT[0] of the target contract.
## Response Actions
- Containment Measures: (Specific containment actions for Bybit are not detailed, but the detection system provided near real-time alerting.)
- Eradication Steps: (Not detailed, likely involving revoking compromised keys/access vectors and freezing affected channels.)
- Recovery Actions: (No mention of asset recovery success.)
## Lessons Learned
- Multisig cold wallets are fundamentally compromised if the human signers can be successfully deceived or compromised, even if the underlying smart contract logic is sound.
- UI manipulation and sophisticated social engineering can bypass powerful cryptographic protections (like multisig).
- The reliance on externally provided signatures in high-value multisig setups introduces unacceptable risk if the signer's local environment is compromised.
## Recommendations
- Implement End-to-End Transaction Validation: Move towards systems where every transaction, even those authorized by multisig, must be fully validated on-chain without sole reliance on locally inspected transaction details presented by a UI client sometimes manipulated by malware.
- Enhance Signer Security Posture: Mandate air-gapped signing environments for cold wallets, utilizing hardware security modules (HSMs) with verified, immutable displays to prevent UI spoofing.
- Review Trust in External Signatures: Re-evaluate the security implications of Gnosis Safe's reliance on external signature generation versus built-in, hardened on-chain voting where possible.