Bybit Hacked: SlowMist Exposes Malicious Contract

SlowMist, a leading blockchain security firm, has disclosed details of the recent hack incident on Bybit, a popular cryptocurrency exchange. The incident, which occurred on February 19 and 21, involved a malicious implementation contract deployed by an attacker.

The malicious contract was deployed at UTC 2025-02-19 7:15:23, with the contract address 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516. The attacker then used three owners to sign a transaction to replace the Safe implementation contract with the malicious contract at UTC 2025-02-21 14:13:35, using the contract address 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882.

The malicious upgrade logic was embedded in STORAGE[0x0] through DELEGATECALL, using the contract address 0x96221423681A6d52E184D440a8eFCEbB105C7242. The attacker used the backdoor functions sweepETH and sweepERC20 in the malicious contract to drain the hot wallet.

The incident highlights the importance of robust security measures in the cryptocurrency industry. As the market continues to grow, so does the need for enhanced security protocols to protect users and their assets. SlowMist's disclosure of the Bybit hack incident details serves as a reminder of the ongoing challenges in the field of blockchain security.