#bybit被盗 The core of this attack exploited a vulnerability in the logic modification of the multi-signature cold wallet's smart contract, combined with UI masking for social engineering attacks. Here are the suggested investigation directions:

One, Attack Technique Logical Reasoning

1. Attack Vector: Multi-signature Smart Contract Permission Changes

Multi-signature wallets (such as Gnosis Safe) are typically managed by smart contracts and require multiple signers to approve transactions.

The attacker induced the signer to sign a transaction that modified the smart contract logic (e.g., changing contract ownership, withdrawal permissions, or upgrading proxy contract implementations).

It may involve calling functions like updateImplementation (proxy contract upgrade) or transferOwnership (permission transfer) to transfer control to the attacker's address.

2. UI Masking Attacks

The signer's interface (such as Safe Web UI or Bybit internal tools) was tampered with during transaction signing:

Visual Deception: The addresses and amounts displayed on the interface are legitimate (such as transferring to a hot wallet), but the actual signed transaction data has been replaced with malicious operations (such as modifying contract logic).

Domain Spoofing: Although the URL appears to be a legitimate domain (such as app.safe.global), the following possibilities may exist:

Signers accessed phishing websites (similar domain names or forged HTTPS certificates);

Browser plugins or local malware hijacked the page content;

DNS hijacking or Man-in-the-Middle (MITM) attacks.

3. Concealment of Signed Messages

The data of multi-signature transactions (calldata) may have been encoded or obfuscated, making it difficult for signers to intuitively identify the actual functions being called (e.g., real operations obscured by delegatecall through proxy contracts).

Ordinary users find it difficult to verify the underlying logic of transactions and rely on the information displayed by the UI, while attackers mask their true intentions by tampering with the UI.

Two, Technical Implementation Possibilities

1. Supply Chain Attacks

The multi-signature management tools used by Bybit (such as self-hosted instances of Safe, browser plugins, or internal systems) have been implanted with malicious code, tampering with transaction data.

May involve dependency library hijacking (such as malicious npm packages) or third-party service APIs being compromised.

2. Social Engineering Attacks

The attacker masquerades as an internal member or Safe official, sending forged signature request links to induce signers to approve malicious transactions.

3. Exploiting Smart Contract Vulnerabilities

The multi-signature contract has logical vulnerabilities (such as insufficient permission verification), allowing attackers to bypass signature verification through specific parameters.

Three, Suggested Investigation Directions

1. On-chain Data Analysis

Transaction Traceability: Check the contract call records of the attacked wallet (via Etherscan) to locate the specific transaction that triggered the vulnerability (such as upgradeTo or execTransaction).

Fund Tracking: Monitor the flow of stolen ETH (possibly through mixers, cross-chain bridges, or exchanges) and attempt to associate known black address patterns.

2. Internal System Audit

Signing Environment Check: Investigate whether there is malware, browser plugins, or abnormal DNS configurations on the devices of all signers.

Toolchain Review: Verify whether the multi-signature tools used (such as Safe code libraries, deployment scripts) have been tampered with and confirm the integrity of dependencies.

3. Review of Multi-signature Process

Permission Change Logs: Check for any unusual multi-signature proposals (such as contract upgrade requests) and analyze the identity and access logs of the proposal initiators.

Operation Process Verification: Confirm whether multi-signature approvals require a second manual verification of transaction data (such as displaying the original calldata).

4. Third-party Collaboration

Collaborate with the Safe team: Check if there are known vulnerabilities or similar attack cases with Safe.

Contact on-chain monitoring agencies: such as Chainalysis, TRM Labs, to assist in freezing funds or tracking hackers.

Four, Defense Improvement Suggestions

1. Strengthen Signature Verification Process

Require signers to manually decode transaction data (using independent tools like Etherscan's Calldata Decoder).

Set higher signature thresholds for sensitive operations (such as 5/7 multi-signature for contract upgrades).

2. Isolated Signing Environment

Use hardware isolation devices (such as air-gapped computers) to sign critical transactions, avoiding reliance on browser environments.

3. Real-time Monitoring and Alerts

Deploy smart contract monitoring tools (such as Forta Network) to trigger immediate alerts for permission change operations.