"Bybit's $1.4B Heist: The WYSIWYNS Vulnerability Exposed"

On February 21, 2025, at 22:13 Singapore time, a significant security breach occurred at Bybit, a popular cryptocurrency exchange. The incident involved a cold-to-warm wallet transfer using Safe{Wallet}'s multi-signature workflow, during which attackers exploited the process and successfully stole $1.4 billion in assets. An investigation by Sygnia confirmed that the AWS S3 bucket of Safe{Wallet} had been compromised, allowing hackers to deploy malicious JavaScript code targeting Bybit. The primary objective of this code was to alter transaction details during the signing process, while Safe{Wallet} maintained that its smart contracts remained unaffected.

The Bybit breach highlighted a critical flaw in wallet architectures, known as the "What You See Is Not What You Sign" (WYSIWYNS) vulnerability. This flaw occurs when the displayed intent on a wallet's user interface or backend does not match the executed action. In this case, attackers manipulated the displayed destination address, making it appear legitimate, and Ledger's offline verification failed to effectively implement "what you see is what you sign" due to poor compatibility with Safe's UI. This incident underscored the importance of adopting robust multi-layered solutions to safeguard against sophisticated exploits in high-stakes environments.

Safeheron, a leading provider of institutional-grade cryptocurrency wallet solutions, has developed a military-grade security architecture to prevent such attacks at every layer. The architecture consists of three key components: Secure Multi-Party Computation (MPC), Trusted Execution Environment (TEE), and a Policy Engine. At the pre-approval stage, the Policy Engine blocks non-whitelisted transfers, ensuring that only pre-authorized addresses can receive funds. Multi-tiered approvals, time locks, and volume caps further mitigate human error or insider threats. The TEE and multi-signature process protect whitelist integrity by requiring multi-party consensus for adding or modifying whitelisted addresses and triggering instant alerts if unauthorized changes are attempted. Finally, every transaction is hashed, signed, and validated within IntelINTC-- SGX-secured TEE, ensuring that the UI-displayed data exactly matches the on-chain execution and eliminating discrepancies between intent and action.

The Bybit incident served as a referendum on wallet design, highlighting the risks associated with different wallet types. Contract wallets, single-key wallets, and basic MPC wallets all have inherent vulnerabilities, such as upgradeable logic