1. Whenever you encounter such a hacking incident, first find the wallet involved. The exchange wallets are basically marked on etherscan and can be searched directly.
Look at this unlucky wallet, marked as Bybi cold wallet 1, but the money is only a pitiful $22, most likely it is lost. Scroll down to see the historical transactions, and sure enough:
17 hours ago, the money in this wallet was taken away in a rush, like autumn wind sweeping away fallen leaves, not a single hair was left. 2. The process of committing the crime Now that we have found the wallet of the person involved, we can analyze the process of committing the crime. First, let us see what the unlucky wallet is.
First of all, it is a smart contract wallet, which means it has code logic. A closer look at the open source code logic reveals the keywords "proxy" and "gnosis.io", which is most likely a safe wallet. For those who are not familiar with it, let me introduce it to you. Safe wallet is a multi-signature wallet that is widely used for institutional fund management. Various cryptocurrency institutions either have a custodian, or if they manage themselves, it is generally a safe wallet. In addition to being used to directly store cryptocurrency, it may also be used for various multi-signature operations, such as airdrops, upgrading contract codes, changing vault strategies, etc. Everyone just understands that it is a very important wallet. The code has been on the chain for 7 or 8 years and has experienced the ups and downs of the cryptocurrency circle, and has never gone wrong. It can be said to be the evergreen pine in the cryptocurrency circle.
This is a big deal. The funds stored in safe wallet alone are more than 100 billion US dollars, not to mention various related contracts. If the underlying contract of this wallet is breached, the impact is difficult to estimate, which is much more explosive than the collapse of any exchange. You may have a question at this time. If the impact is really so big, won’t the crypto market plummet?
Don't worry, let's continue. Knowing the wallet type, we can start analyzing transactions:
The names of the first few transactions are sweepERC20 sweepETH. You can tell from the names that they are stealing money. Safe Wallet itself does not have these functions, so let’s ignore them for now. The name of the transaction at the bottom is Exec Transaction, which is a function of Safe Wallet itself. All transactions are conducted through it. This must be the starting point of this case. Let’s take a closer look. The transaction details are as follows:
Let's first examine the signatures in detail.
I carefully read it for a long time (I don't want to write the details, I will expand it if someone reads it), and I think it is fine. This is a legitimate signature. This means that this transaction has indeed collected signatures from multiple wallet owners. You can understand that there are multiple keys for a safe, and this transaction has indeed collected all the keys. Well, at least we can be sure that the underlying contract of the safe wallet is still safe, and the hacker also found a way to get these keys to open this safewallet. How did they get these keys? Let's not talk about it for now.
Then let's take a look at the specific operations of this transaction and appreciate what the hacker did after opening the safe. The focus is on this part.
First of all, value is 0, which means that this transaction does not transfer ETH. Considering that this is probably an operation to open a safe, and most of the deposits are interest-bearing assets stETH, this is normal. to is a smart contract, and data is the content that interacts with this smart contract.
Simply put, the method 0xa9059cbb of the contract 0x96221423681A6d52E184D440a8eFCEbB105C7242 is called, and then the parameter bdd077f651ebe7f7b3ce16fe5f2b025be2969516 is passed.
So let’s first take a look at the origin of this 0x96221423681A6d52E184D440a8eFCEbB105C7242 contract.
I opened it and saw that it was not open source, so it was probably a contract deployed by hackers. Now that we cannot analyze the contract, is that the end of us? Nonono, you must have thought of it. Even if it is not open source, we can see what has been changed in this transaction.
Take a closer look at the transaction, OK we have found the problem. This transaction changes the proxy pointer. To explain briefly, the safe wallet deployment adopts the proxy mode to save gas and facilitate upgrades. In simple terms, the wallet logic used by users is pointed to a piece of code.
The wallet address itself has no code logic, it only stores money. The hacker used this transaction to change the code logic pointed to by the wallet, causing the wallet to no longer be a safe wallet.
It is just a safe wallet, and its core is the code logic deployed by the hacker 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516. It can be said that the hacker has taken over the body of the cyber attacker, and now he can do whatever he wants.
If we look back at the wallet's sweep operations, we can understand that after the hacker took over the wallet, he ordered the wallet to spit out the money, and the wallet obeyed all the commands.
Not a penny of the 1.5 billion dollars was left.
The $1.5 billion from Bybit is expected to be laundered over several years through the path of ETH→BTC→fiat currency, and eventually become the funds for the Enqingguo H plan. The security loopholes of the exchange are also obvious. They thought that three signatures were absolutely safe.
In fact, if one signer's device is compromised, the entire system will collapse instantly.
The administrator signed on the fake Safe official website, but he didn't know that the underlying transactions had been swapped. This is like using PPT to make a chip. No matter how gorgeous the interface is, the code is full of bugs. In order not to increase the price of ETH, Bybit would rather borrow money than buy coins to fill the hole. When people in the country of kindness start to sell ETH, exchanges and hackers will trample on each other, and the leeks will be cut again.
After the incident was exposed, ETH plummeted, leveraged players were slaughtered, 170,000 people were liquidated within 24 hours, and people started queuing on the rooftop again.
Bybit has always claimed that cold wallets are absolutely safe, but in the end, they were exposed. No matter how thick the safe is, it cannot prevent the insider from handing over the key. Although Bybit lost a year's profit, users still ran crazy to withdraw money. During the CEO's live broadcast, the comments were full of cheers to hold on, a typical Stockholm syndrome.