Bybit exploit ties to Safe developer machine vulnerability

Bybit has revealed that the recent hack of $1.4 billion was not a compromise to its infrastructure, but rather a flaw in a Safe Developer Machine.

According to the exchange’s initial forensic report, the attack was executed through Safe’s AWS S3 bucket, allowing bad actors to manipulate the wallet front end.

Safe has also stated in a separate statement dated Feb. Reports of the occurrence of this condition are available at: The following are some examples of how to use The hackers submitted a disguised malicious proposal using a compromised system. This proposal introduced harmful JavaScript to key resources, which allowed the attackers manipulate transactions.

Safe and Bybit reached the same conclusions after conducting a forensic analysis.

Attack execution and forensic evidence

The Safe report highlights that the attackers designed injected code to change transaction contents during signing process, effectively changing the intended execution.

Publicly available web history archives and timestamp analysis indicate that the injection occurred directly into the S3 bucket — A public cloud storage service offered by Amazon Web Services, which stores data in units of objects.

The analysis of the malicious JavaScript code revealed that an activation condition was tied to specific contract addresses. This included Bybit’s address as well as an unidentified address which is suspected to be controlled or by the threat actor. This indicates that the hackers used a targeted attack rather than a large-scale one.

Safe updated the JavaScript resource versions on its AWS infrastructure shortly after the malicious transactions were executed and published. These versions removed the code injection, showing an attempt to erase any traces. 

The North Korean hacker collective Lazarus has a reputation for using social engineering and zero-day exploits to target developer credentials. The group is said to have been sponsored by the state and is known for using social engineering and zero day exploits in order to target developer credential.

The small security detail

SlowMist founder Yu Xian You can also read about the importance of this in our article it’s still unclear how the hackers tampered with the front end. He said that anyone using Safe’s Multi-Signature Services could be affected by the same exploit.

According to Xian

“What is terrifying is that all other user-interactive services with front-ends, APIs, etc. You may be at danger. It is a classic supply-chain attack. The security management model for huge/large assets needs a major upgrade.”

Moreover, he You can also check out our other articles. that if the Safe front-end had performed basic subresource integrity (SRI) verification, the attack would not have been possible even if a malicious actor modified the JavaScript file, which is a “small security detail.”

SRI verification, also known as cryptographic hashing, is a feature of browsers that allows them to check that the resources that are fetched have not been manipulated.

Remediation and safe response measures

Safe has launched an extensive investigation to determine the scope of the compromise. The forensic analysis found no vulnerabilities within its smart contracts or front-end code.

Safe has completely rebuilt and reconfigured their infrastructure to reduce future risks. All credentials are rotated. The platform is now restored on Ethereum’s mainnet, with a gradual rollout that incorporates enhanced security. 

Although the Safe front-end is still functional, the report encourages users to use greater caution when signing any transactions.

Safe also stated that it was committed to leading a industry-wide effort to increase the verifiability of transactions. This initiative addresses a system-wide problem, focusing on security, transparency and self-custody in DeFi applications.

Lessons to be learned from the incident

Hasu believes that even though Safe and Bybit concluded that the exchange had not been compromised, Flashbots should be held responsible.

The following is a list of the most popular ways to get in touch with someone. You can also read about the importance of this in our article Bybit infrastructure was not sufficient to catch a “pretty simple hack”; and, there’s no excuse to not verify message integrity for transfers of over $1 billion.

Hasu added:

“I’m afraid if we put the blame on SAFE instead of Bybit here, we are learning entirely the wrong lesson from this as a space. Frontends must _always_ _be assumed compromised. If your signing process doesn’t accommodate that, you’re ultimately still at fault.”

Jameson Lopp co-founder and Chief Security Officer at Casa Point out that “a major lesson” from the Safe security incident is that no developer should have production keys on their machines. He recommended that the deployment of production code be subject to peer review, and involve multiple employees for enhanced security.

Mudit gupta (chief information security officer, Polygon Labs) also criticised the fact that Safe’s production site was only accessible by one developer and asked why the changes made to the objects weren’t monitored.