Bybit has recently disclosed that the $1.4 billion hack that occurred did not compromise its infrastructure, as initially feared. Instead, the breach was traced back to a vulnerability in a Safe developer machine, shedding light on the intricacies of the attack and the subsequent forensic findings.
According to Bybit’s forensic report, the attack was orchestrated through Safe’s AWS S3 bucket, allowing malicious actors to manipulate the wallet front end. This manipulation was made possible by injecting harmful JavaScript into key resources, enabling the attackers to alter transaction contents during the signing process.
Safe’s separate report further confirmed these findings, stating that the hackers utilized a compromised machine to submit a disguised malicious transaction proposal. The injected code was designed to target specific contract addresses, including Bybit’s contract address, indicating a targeted approach rather than a widespread attack.
Forensic investigations conducted by Bybit, Sygnia, and Verichains corroborated these findings, linking the attack to tactics used by the North Korean hacker group Lazarus. Despite efforts to erase traces of the compromise by uploading updated versions of JavaScript resources, the attack vector was identified, highlighting the need for enhanced security measures.
Yu Xian, founder of SlowMist, emphasized the need for improved security management models for large assets, pointing out that all user-interactive services with front-ends could be at risk. He suggested that implementing basic subresource integrity (SRI) verification could prevent similar exploits, underscoring the importance of small security details in thwarting cyber threats.
In response to the incident, Safe has initiated a comprehensive investigation to assess the extent of the compromise and has rebuilt its infrastructure to mitigate future risks. The platform has been restored on the Ethereum mainnet with enhanced security measures, although users are advised to exercise caution when signing transactions.
Lessons learned from the incident include the importance of holding entities accountable and implementing robust security practices. Hasu stressed the need for infrastructural improvements at Bybit, while Jameson Lopp recommended peer review and multiple employee involvement in code deployments to bolster security measures. Mudit Gupta criticized the lack of oversight in Safe’s development process, advocating for stricter monitoring and access controls.
Overall, the incident underscores the critical need for proactive security measures in the ever-evolving landscape of cryptocurrency exchanges and DeFi applications. By learning from past breaches and implementing best practices, the industry can strengthen its resilience against cyber threats and safeguard user assets.