Technical Analysis of the Bybit Hot Wallet Exploit
Contents
Technical Analysis of the Bybit Hot Wallet Exploit
Overview
On February 21, 2025, at 14:13:35 UTC, a malicious transaction was executed that upgraded the implementation of the Bybit Hot Wallet Proxy via a call from SafeWallet. This analysis details the sequence of events, on-chain operations, and potential attacker methodology.
Compromised Transaction Details
Malicious transaction that upgrade implementation of Bybit Hot Wallet called from SafeWallet:
Timestamp: Feb-21-2025, 14:13:35 UTC
Transaction: 0x46dee (Etherscan)
Key Addresses:
Bybit Hot Wallet Proxy: 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
GnosisSafe (v1.1.1): 0x34cfac646f301356faa8b21e94227e3583fe3f5f
Malicious Implementation Contract: 0x96221423681a6d52e184d440a8efcebb105c7242
On-Chain Flow of the Exploit
Initiation by the Hacker:
Hacker Address:
0x0fa09c3a328792253f8dee7116848723b72a6d2e
The attacker initiates a call to the Hot Wallet Proxy (
0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
).
Delegated Calls:
The proxy executes a delegatecall to the legitimate GnosisSafe contract (
0x34cfac646f301356faa8b21e94227e3583fe3f5f
).Next, a further delegatecall is made to the malicious implementation contract using the following JSON payload:
{ "to": "0x96221423681a6d52e184d440a8efcebb105c7242", // Malicious Implementation Contract "operation": 1, // DelegateCall operation "data": "0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be29695160000000000000000000000000000000000000000000000000000000000000000" // Encodes a call to transfer(address,uint256): // transfer(0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516, 0) }
State Modification:
Within the malicious contract’s
transfer
function:
def transfer(address _to, uint256 _value) …
Overview
On February 21, 2025, at 14:13:35 UTC, a malicious transaction was executed that upgraded the implementation of the Bybit Hot Wallet Proxy via a call from SafeWallet. This analysis details the sequence of events, on-chain operations, and potential attacker methodology.
Compromised Transaction Details
Malicious transaction that upgrade implementation of Bybit Hot Wallet called from SafeWallet:
Timestamp: Feb-21-2025, 14:13:35 UTC
Transaction: 0x46dee (Etherscan)
Key Addresses:
Bybit Hot Wallet Proxy: 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
GnosisSafe (v1.1.1): 0x34cfac646f301356faa8b21e94227e3583fe3f5f
Malicious Implementation Contract: 0x96221423681a6d52e184d440a8efcebb105c7242
On-Chain Flow of the Exploit
Initiation by the Hacker:
Hacker Address:
0x0fa09c3a328792253f8dee7116848723b72a6d2e
The attacker initiates a call to the Hot Wallet Proxy (
0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
).
Delegated Calls:
The proxy executes a delegatecall to the legitimate GnosisSafe contract (
0x34cfac646f301356faa8b21e94227e3583fe3f5f
).Next, a further delegatecall is made to the malicious implementation contract using the following JSON payload:
{ "to": "0x96221423681a6d52e184d440a8efcebb105c7242", // Malicious Implementation Contract "operation": 1, // DelegateCall operation "data": "0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be29695160000000000000000000000000000000000000000000000000000000000000000" // Encodes a call to transfer(address,uint256): // transfer(0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516, 0) }
State Modification:
Within the malicious contract’s
transfer
function:
def transfer(address _to, uint256 _value) …
IoC
1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
0fa09c3a328792253f8dee7116848723b72a6d2e
34cfac646f301356faa8b21e94227e3583fe3f5f
96221423681a6d52e184d440a8efcebb105c7242
bdd077f651ebe7f7b3ce16fe5f2b025be2969516
0fa09c3a328792253f8dee7116848723b72a6d2e
34cfac646f301356faa8b21e94227e3583fe3f5f
96221423681a6d52e184d440a8efcebb105c7242
bdd077f651ebe7f7b3ce16fe5f2b025be2969516