Original | Odaily Planet Daily ( @OdailyChina )
Author | Asher ( @Asher_0210 )
Last night, Bybit co-founder and CEO Ben Zhou released a hacker forensics report provided by Sygnia and Verichains on the X platform , which revealed that the theft of funds was caused by a vulnerability in the Safe infrastructure. In addition, the malicious code was deployed at 15:29:25 UTC on February 19, specifically targeting Bybits Ethereum multi-signature cold wallet. Affected by this news, SAFE fell by more than 10% in a short period of time, and the price began to fall from $0.5 and fell below $0.44 in a short period of time.
Next, Odaily Planet Daily will sort out the Safe team’s response and community opinions after Bybit pointed out that Safe has a vulnerability.
Safe Project Introduction
Safe’s predecessor was called Gnosis Safe. The project was originally just a multi-signature tool for Gnosis team users to manage ICO funds, but later the team decided to promote this internal tool as a public service.
With the development of the project itself and the iteration of industry narratives (especially the rise of the concept of account abstraction), Safe is no longer a simple multi-signature tool, but has transformed into a modular smart contract account infrastructure. It hopes to gradually replace the current mainstream EoA accounts through default smart contract accounts, laying the foundation for the further popularization of cryptocurrencies.
Safe has only one round of public financing history. In July 2022, Safe announced the completion of a $100 million strategic financing, led by 1kx, with participation from Tiger Global, AT Capital, Blockchain Capital, Digital Currency Group, IOSG Ventures, Greenfield One, Rockaway Blockchain Fund, ParaFi, Lightspeed, Polymorphic Capital, Superscrypt and 50 other strategic partners and industry experts (the proud lineup of that year) .
Safe’s official response to the Bybit hacker forensic report: There are no vulnerabilities in the contract and front-end code
In response to the Bybit hacker forensics report, the Safe{Wallet} team immediately conducted a detailed investigation and analyzed the targeted attack launched by the Lazarus Group on Bybit (the Lazarus Group, also known as the Guardians or Peace or Whois Team, is a hacker group composed of an unknown number of people, allegedly controlled by the North Korean government. Although people know little about the group, researchers have attributed multiple cyber attacks to them since 2010) .
The hacking of the developer’s machine led to the theft of Bybit’s funds, and there were no vulnerabilities in the contract and front-end code. The team’s investigation confirmed that the attack was not achieved through the Safe smart contract or front-end code vulnerabilities, but by infecting the Safe{Wallet} developer’s machine, which then launched a disguised malicious transaction. The forensic analysis of external security experts did not find any security issues at the system or contract level, which shows that the root cause of the attack lies in the security vulnerabilities of the developer’s machine .
After the incident, Safe{Wallet} took comprehensive measures to rebuild all infrastructure, update credentials, and completely eliminate the attack vector. Currently, Safe{Wallet} has resumed normal operations on the Ethereum mainnet, using a phased rollout approach to ensure system security. At the same time, the Safe{Wallet} team will continue to promote transaction verifiability and is committed to improving the security and industry transparency of Web3. Although the Safe{Wallet} front-end is operating normally and has taken additional security measures, the team still reminds users to be extra careful and vigilant when signing transactions.
However, the incident report released by Safe was not widely recognized. The vague wording in the report was considered to cover up the core issues. As Binance co-founder CZ said on the X platform, While generally not criticizing other industry participants, multiple issues in the report were not clearly explained, leaving more questions than answers after reading it.
Why the Safe front end was tampered with still needs to disclose details
The Safe brand is only worthy of the smart contract part at present . SlowMist Yuxian posted on the X platform, Safe was finally hacked. It is true that the smart contract part is fine (it is easy to verify on the chain), but the front end was tampered with and forged to achieve the deceptive effect. As for why it was tampered with, wait for the official details of Safe to be disclosed.
Im afraid of alerting the enemy, so I just keep my eyes on Bybit, the big fat rabbit.
Safe is a kind of security infrastructure. Many people use the problematic version. In theory, all people who use this multi-signature wallet may be stolen like Bybit, but it is not triggered because it is not Bybit. Therefore, all other user interaction services with front-ends, APIs, etc. may have this risk. This is also a classic supply chain attack. Perhaps the security management model of huge/large assets needs a major upgrade.
In addition, community members pointed out that there are only two months left before the funding is unlocked, and the current negative impact has made the time pressure faced by Safe even more severe, and it remains uncertain whether it will be able to overcome this difficulty in the future.
summary
In this incident, Safe’s vulnerability exposed several key issues in the field of Web3 security, sounding the alarm for the entire industry.
First, the complexity management of smart contracts is crucial, especially in applications with complex functions such as multi-signature wallets. Although multi-signature wallets are designed to improve security, complex functions such as delegatecalls can easily lead to potential security vulnerabilities if they are not managed properly. Therefore, smart contracts must be rigorously audited and fully tested to ensure that no vulnerabilities are missed.
Secondly, the importance of front-end verification cannot be ignored. Hackers attack by tampering with the front-end interface, causing the loss of user assets, which exposes the weak link of front-end anti-tampering. In order to prevent such attacks, the verification mechanism of the user interface must be strengthened to ensure that each link can effectively identify malicious disguises and avoid users being misled when signing transactions.
Finally, perfect permission control and real-time risk scanning are the key to preventing similar incidents from happening again. The lack of detailed permission management and real-time monitoring systems makes it easy for attackers to break through the defense and perform malicious operations. Therefore, when designing and implementing smart contracts, it is necessary to introduce a multiple confirmation mechanism, provide additional protection for high-risk operations, and strengthen real-time risk monitoring to identify and deal with potential threats in a timely manner.
