Bybit Hack Analysis

Background introduction

On the evening of February 21, 2025, we detected a major security incident involving the Bybit exchange. At 02:16 UTC that night, we detected a large transfer initiated by the Bybit Cold Wallet, https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c ,

transferring 401,346 ETH, 8,000 mETH, 90,375 stETH and 15,000 cmETH worth about 1.5 BillionUSD. After multiple confirmations, it was determined that this was an attack on Bybit.

Background knowledge

Exchange wallet architecture

Usually, the wallet that can directly access the Internet is a hot wallet. Because of the need for frequent transfers, the private keys of hot wallets are usually online, and the funds in hot wallets are generally small, only needing to meet the daily flow of the exchange. The cold wallet of the exchange generally stores most of the funds of the exchange, which is equivalent to the corporate account of the exchange. Cold wallets are only used under special conditions, such as replenishing hot wallet funds. Therefore, cold wallets are generally offline wallets that do not directly contact the Internet; and the cold wallets used by most exchanges are multi-signature wallets. Bybit’s cold wallet is no exception, using the multi-signature wallet of safe.

Proxy Contract

Because the smart contracts deployed on the blockchain cannot be modified, but they usually encounter the problem of business changes, a design mechanism has been created, which is the proxy contract. The proxy contract is a design pattern that allows the business logic and storage data of the smart contract to be separated. Its core mechanism is to use a “proxy contract” as an intermediary layer to forward the user’s transaction request to the logic contract for execution, but the final state (data and assets) is saved in the proxy contract. Usually, proxy contracts are divided into transparent proxy, UUPS, Beacon, etc. The most common ones are Transparent Proxy and UUPS. All Proxy contracts need to set implementation, that is, the logic contract.

Attack and incident analysis

After our detailed analysis, the attacker’s attack was divided into three stages.

Phase 1

The attacker deployed an attack contract 0x96221423681A6d52E184D440a8eFCEbB105C7242 at 2025–02–18 03:29:11 UTC. The transaction for deploying the contract is https://etherscan.io/tx/0x84cd9d6cb84df9df4be638899f4a56053ed98042febd489ef3d51a3ed3652d40. We will call it attack contract 7242 later. Subsequently, the attacker deployed another attack contract 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516 at 2025–02–18 06:00:35 UTC. The transaction for deploying the contract is https://etherscan.io/tx/0xc47ac9038127cef763a1c9a33309a645c5a4fa9df1b4858634ae596ccc2aee5e . We will call it attack contract 9516 later.

Phase 2

The attacker made three multi-signature wallets of Bybit sign a transaction with the transaction hash of https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882. Let’s analyze this transaction in detail.

Through the execution flow of the transaction, we can see that this transaction is actually very simple. It is to get the signature of the multi-signature wallet for the transaction, and then call the Safe wallet to execute the transaction. The executed transaction is also very simple, that is, to call the transfer function of the attack contract 7242, and then the _to of the transfer function is the attack contract 9516, and the _value is 0.

Then, let’s look at the logic of the attack contract 7242 through decompilation.

Then, we see that the owner of the created Token is also the smart contract of the launchpad official website.

We can see that the transfer function of the attack contract 7242 is very simple, which is to change the slot0 of the contract to the first parameter recipient of the transfer function. Next, we continue to observe the execution process. First, the proxy contract of the safe wallet calls the impl contract of the safe wallet through delegatecall, and then the impl contract calls the attack contract transfer function through delegatecall. Because the principle of delegatecall is to use the context of the caller to execute the called code. Therefore, the context of executing the attack contract is the proxy contract of the safe wallet, so the modified slot0 is also the slot0 of the proxy contract of the safe wallet. Let’s continue to look at the code of the proxy contract of the safe wallet.

We found that slot0 of the proxy contract of the safe wallet is the logical contract address of the safe wallet. And because the function of the transfer function of the attack contract 7242 is to modify slot0. Then, after executing the above process, the logical contract address of the safe wallet has been modified by the attacker to the attack contract 9516. So far, this cold wallet of Bybit has been completely taken over by the attacker.

Phase 3

After taking over Bybit’s cold wallet, the attacker called sweepERC20 and sweepETH functions of attack contract 9516 to transfer all ERC20 Tokens and ETH in the cold wallet. At this point, the attack is complete. Let’s take a look at the specific implementation of sweepERC20.

Its function is to transfer the specified token balance in the specified cold wallet to the target wallet. The attacker transfers 90 USDT from the cold wallet,

8,000 mETH

90,375 stETH

15,000 cmETH

Next, let’s take a look at the specific implementation of sweepETH.

As you can see, the main function of this function is to transfer all ETH in the wallet to the address specified by the attacker. The attacker uses this function to transfer all ETH in the cold wallet, and the attack phase is now complete.

Discovered attack techniques

During the analysis, we found that the attacker’s methods were very meticulous. We will elaborate on our findings during the analysis:

1. The attacker first exploited the address 0x5C6120BA4C5B5E18DDcb9589e649e86EE6d540dD

Created a safe wallet for testing.

Then, the attack was rehearsed on the chain.

We can see the execution process of this function transaction.

Then, the sweepERC20 and sweepETH of attack contract 9516 were also used to test the withdrawal of coins in a block.

2. Attack contract 7242 and attack contract 9516 both have the function of modifying slot

The attacker did not directly call the complex attack contract, attack contract 9516, but called a simple attack contract 7242 similar to transparent proxy to modify the impl of the cold wallet. We speculate that the attacker may be worried that the contract function called is too complex and may trigger unknown protection or arouse the vigilance of relevant personnel. In addition, the attack function is named transfer, which is very confusing. After modifying the impl contract of the cold wallet, the attacker did not directly transfer a large amount of money, but first transferred 90 USDT. The large amount of money was completed later.

As you can see, the attacker first transferred a small amount of money for testing. To prevent accidents, large transfers were made after the blockchain was successfully uploaded. We can see that all large transfers were completed in a block number 21895251.

Unsolved mysteries

Why was the multi-signature mechanism easily breached by attackers? We have listed several possibilities:

1. First, the contract or front-end of the safe wallet suffered a supply chain attack. It is understood that bybit not only uses safe for ETH, but if this is the case, all wallets using safe will be emptied by attackers. And afterwards, safe also issued an announcement. After in-depth investigation, there was no supply chain attack on its front-end and contract.
2. One of the multi-signature holders was breached by the attacker, and the attacker used it to initiate a transfer, and other personnel signed without careful review. We analyzed that the private key holder of such a large wallet may need to communicate or conduct internal processes for all operations, so it should not happen that signing without knowing what the situation is.
3. All holders of the multi-signature were breached by the attacker, and the attacker used all multi-signature holders to sign and finally completed the attack.
4. The UI interface of the multi-signature was modified by the attacker in a targeted manner, misleading the multi-signature holders.
5. The attacker lurked in the internal system and launched a complete process.

At present, without more information disclosure, it is difficult to finally determine the method used by the attacker. But what is certain is that the attacker is very proficient in on-chain and off-chain attack methods through careful preliminary investigation, on-chain testing and experiments, and complex attacks against multi-signature holders or systems. We also look forward to bybit being able to disclose more information in the future, and we are willing to provide relevant technical support to bybit.

Summary

In this attack, Bybit exchange lost a total of $1.5 billion, which is the most costly attack on exchanges in history. In fact, similar attacks have also occurred in the Indian exchange WarirX. Exchanges are often the target of top attackers due to their huge funds, and may even be attacked by state-sponsored APTs. Therefore, exchanges should improve their security level from multiple aspects to reduce the risk of being attacked. But not limited to, devices used for multi-signatures (computers, mobile devices) are off-grid; transactions that need to be executed are simulated locally first to see if they meet expectations; and multiple and multi-party verifications are performed in the overall operation and daily content process. Finally, in Web3 security, no measure is a sliver bullet. It is necessary to continuously improve in the fight against attackers to remain invincible.

💬 Website 🐦Twitter