A massive hack at the Bybit exchange has revealed significant security vulnerabilities within the platform. Hackers managed to steal $1.5 billion worth of Ethereum (ETH) 
$3,334. Analyst David Leung’s insights shed light on how the attack occurred and the mistakes Bybit made.
How Did the Bybit Hack Happen?
The Bybit hack utilized a method known as “Blind Signing.” This technique allows users to approve transactions without seeing all the details. Consequently, hackers accessed Bybit’s cold wallet containing the ETH and transferred the funds to a single account. They then dispersed the assets across multiple wallets to cover their tracks.
The attack involved two smart contracts that contained Trojan and backdoor elements. A seemingly harmless ERC-20 transfer was executed to deceive Bybit’s multi-signature wallet. Hidden within this transaction was a “delegate call” that altered the wallet’s master contract, granting hackers complete control.
Subsequently, the hackers quickly transferred ETH, mETH, stETH, and cmETH to other wallets. Bybit realized the situation after the transactions were executed, resulting in a massive loss.
Did Bybit Ignore Its Security Flaws?
Experts believe Bybit could have prevented the hack. According to analyst Leung, the following measures could have thwarted the attack:
- Warning for Off-List Contracts: Bybit should have noticed the transfer to a non-compliant ERC-20 contract.
- Delegate Call Control Mechanism: Many exchanges have security measures to prevent this; Bybit lacked such a mechanism.
- Independent Security Verifications: Additional checks could have been performed before and after signatures.
In the aftermath of the hack, Bybit offered a reward of 50,000 ARKM coins to track down the hackers. However, experts indicate that recovering the funds is challenging due to insufficient international regulations regarding cryptocurrency.
