"Bybit Hack: $1.4B Crypto Heist via Safe's AWS S3 Bucket"

Bybit, a leading cryptocurrency exchange, recently revealed that a $1.4 billion hack was not caused by a compromise of its infrastructure but rather by a vulnerability in a Safe developer machine. The attack was executed through Safe's AWS S3 bucket, allowing bad actors to manipulate the wallet front end.
According to the exchange's initial forensic report, the attack was carried out by submitting a disguised malicious transaction proposal that injected harmful JavaScript into key resources. This enabled the attackers to manipulate transactions. The forensic investigation conducted by Bybit and blockchain security firms Sygnia and Verichains reached the same conclusion as Safe.
The Safe report highlighted that the attackers designed the injected code to modify transaction contents during the signing process, effectively altering the intended execution. The malicious JavaScript code analysis revealed an activation condition tied to specific contract addresses, including Bybit's contract address and an unidentified contract address suspected to be controlled by the threat actor. This suggests the hackers employed a targeted approach rather than a widespread attack.
Shortly after the malicious transaction was executed and published, Safe uploaded updated versions of the JavaScript resources to its AWS infrastructure. These versions removed the injected code, indicating an effort to erase traces of the compromise. Despite this, forensic investigators identified the attack vector and linked it to the broader tactics used by the North Korean hacker group Lazarus, which is allegedly state-sponsored and notorious for leveraging social engineering and zero-day exploits to target developer credentials.
SlowMist founder Yu Xian said it's still unclear how the hackers tampered with the front end. He added that, in theory, anyone who uses Safe's multi-signature services could suffer the same exploit. He assessed that if the Safe front-end had performed basic subresource integrity (SRI) verification, the attack would not have been possible even if a malicious actor modified the JavaScript file.
Safe said it had initiated a comprehensive investigation to assess the extent of the compromise. The forensic review found no vulnerabilities in its smart contracts, front-end source code, or back-end services. Safe has fully rebuilt and reconfigured its infrastructure to mitigate future risks while rotating all credentials. The platform has been restored on the Ethereum mainnet with a phased rollout, incorporating enhanced security measures.
Despite Safe and Bybit's reports concluding that the exchange was not compromised, Hasu, the strategy lead at Flashbots, believes they still need to be held accountable

Comments
No comments yet