Analysis of the Large-Scale Fund Theft Incident Involving Bybit Cold Wallet

On February 21, 2025, a well-known trading platform's Ethereum Cold Wallet encountered a serious security incident, resulting in a loss of approximately $1.46 billion in assets, making it one of the largest security incidents in Web 3.0 history.

Event Overview

At UTC time 14:16:11 on the same day, the attacker successfully induced the Cold Wallet signer to sign a malicious transaction through a carefully designed phishing attack. This transaction was disguised as a routine operation, but in reality, it replaced the implementation contract of the Safe multi-signature Wallet with a malicious contract containing backdoors. The attacker then exploited this backdoor to transfer a large amount of assets from the Wallet.

Attack Details

1. Attack Preparation: The attacker deployed two malicious contracts three days in advance, which included a funding transfer backdoor and the ability to modify storage slots.

2. Signature Fraud: The attacker successfully deceived all three owners of the multi-signature Wallet into signing a transaction that appeared normal but was actually malicious.

3. Contract Upgrade: By executing the deleGatecall operation, the attacker changes the implementation contract address (masterCopy) of Safe to a malicious contract address.

4. Fund Theft: Using the upgraded malicious contract's sweepETH() and sweepERC20() functions, the attacker transferred all assets from the Cold Wallet.

Vulnerability Analysis

The core vulnerability of this incident lies in a successful social engineering attack. The attacker, through a carefully designed interface, made the transaction appear as a normal operation on Safe{Wallet}, while the data sent to the Cold Wallet had been tampered with. The signer did not verify the transaction details again on the hardware device, ultimately leading to the success of the attack.

Analysis indicates that this attack may have been planned and executed by a well-known hacking organization, and its methods are similar to recent incidents involving high-value asset theft.

Lessons Learned

1. Strengthen device security: Implement strict endpoint security policies, using dedicated signing devices and temporary operating systems.

2. Enhance security awareness: Conduct regular phishing attack simulations and red team defense exercises.

3. Avoid Blind Signing: Carefully verify the details of each transaction on the hardware Wallet.

4. Multi-verification: Use transaction simulation and dual device verification mechanism.

5. Be vigilant for anomalies: immediately terminate the transaction and initiate an investigation upon discovering any anomalies.

This incident once again highlights the security challenges faced in the Web3.0 space, particularly the systemic attacks targeting high-value targets. As attack methods continue to evolve, trading platforms and Web3.0 institutions need to comprehensively enhance their security measures to cope with increasingly complex external threats.