Now that we know who's behind the Bybit attack
Contents
Thread Reader
Toggle theme
David | crypto/acc
David | crypto/acc
@dhkleung
14h
9 tweets
Tweet
Share
Download
Now that we know who's behind the @Bybit attack. Let's look at how the hack actually worked.
At a high level, the hack involved the 4 broad group of events:
1. Attacker deployed a trojan contract and a backdoor contract.
2. Attacker tricked signers of the upgradeable multisig "cold" wallet to authorize a malicious ERC-20 transfer to a trojan contract
3. Instead of transferring tokens, trojan contract replaces the master copy of the actual Safe multisig implementation contract with the backdoor contract, which is solely controlled by the attacker.
4. The attacker called sweepETH and sweepERC20 to drain the wallet of all its native ETH, mETH, stETH, and cmETH tokens.
Reports have surfaced that the devices used to authorize the multisig wallet ERC-20 transfer were compromised.
This theory is quite likely, because the said transfer were highly unusual. It is unlikely a transaction like this would bypass the typical operations …
Toggle theme
David | crypto/acc
David | crypto/acc
@dhkleung
14h
9 tweets
Tweet
Share
Download
Now that we know who's behind the @Bybit attack. Let's look at how the hack actually worked.
At a high level, the hack involved the 4 broad group of events:
1. Attacker deployed a trojan contract and a backdoor contract.
2. Attacker tricked signers of the upgradeable multisig "cold" wallet to authorize a malicious ERC-20 transfer to a trojan contract
3. Instead of transferring tokens, trojan contract replaces the master copy of the actual Safe multisig implementation contract with the backdoor contract, which is solely controlled by the attacker.
4. The attacker called sweepETH and sweepERC20 to drain the wallet of all its native ETH, mETH, stETH, and cmETH tokens.
Reports have surfaced that the devices used to authorize the multisig wallet ERC-20 transfer were compromised.
This theory is quite likely, because the said transfer were highly unusual. It is unlikely a transaction like this would bypass the typical operations …