Plain language explanation of the bybit fund theft process
1. The thief laid the mine in advance (deployed malicious contracts)
The hacker built a fake key factory (malicious contract) in advance on February 19, 2025, the address is 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516, but it has not been done yet.
2. Forged keys deceived multi-signature review (tampering with upgrade contracts)
Key point: Bybit's wallet is a multi-signature safe (requires the consent of multiple bosses to unlock).
Attack time: On February 21, the hacker used the signatures of 3 bosses (possibly stolen or forged) to replace the original safe lock cylinder (normal contract) with a fake lock cylinder (malicious contract) made by himself.
Transaction record: This operation is recorded in the transaction hash 0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
It is equivalent to a thief taking a fake key to the bank counter and saying "I am the boss, I want to change the lock", and the counter agreed without finding any abnormality.
3. Implanting a backdoor program (DELEGATECALL vulnerability)
Hacker method: Through DELEGATECALL (similar to a letter of authorization), the malicious code is secretly written into the core position of the system (STORAGE[0x0]), which is equivalent to hiding a secret compartment in the safe.
Backdoor address: The controller of the secret compartment is 0x96221423681A6d52E184D440a8eFCEbB105C7242, which hides two backdoor functions: sweepETH (stealing ETH) and sweepERC20 (stealing tokens).
4. Directly empty the safe (withdraw assets)
The hacker activated the backdoor program and used these two functions to directly transfer the coins in the hot wallet, just like using a remote control to empty the safe with one click.