“Recently, Cartesi co-founder Erick de Moura was invited to be a guest on BeInCrypto to have an in-depth discussion with a group of guests on the Bybit hack and shared his insights as an industry observer.”
Original article: https://beincrypto.com/bybit-hack-experts-debate-ethereum-security/
Key points of this interview
The Bybit security incident is different from traditional exchange vulnerabilities. It exposes the vulnerability of third-party transaction signing tools, proving that even if the exchange’s own security measures are perfect, the compromise of integrated components will still lead to systemic risks.
Although the acquisition of a large amount of Ethereum assets by the North Korean hacker group "Lazarus" did not directly affect the blockchain consensus mechanism, it raised concerns about market manipulation and the risk of Layer2 protocol attacks.
Industry experts emphasize the need to establish reproducible build processes, improve user safety standards, and advocate a shift from a trust system to a verifiable security mechanism
The recent $1.5 billion Bybit security breach has put the North Korean hacker group "Lazarus" in the top 15 of the world's Ethereum holders. The breach sent shockwaves through the crypto space, warning users who had believed Ethereum was the most secure and decentralized network.
In a conversation with BeInCrypto, representatives from Holonym, Cartesi, and Komodo Platform discussed three core topics, including the potential impact of this security incident on the blockchain ecosystem, specific measures to prevent similar attacks in the future, and how to rebuild the public's trust in the security of the Ethereum network.
A different kind of security vulnerability
The Bybit hack shocked the crypto community, not only because of the scale of the stolen funds, but also because of the nature of the vulnerability.
Unlike other cryptocurrency exchange breaches such as the 2014 Mt. Gox incident or the 2018 Coincheck hack, which involved leaked private keys or direct breaches of exchange wallets, Bybit’s situation is unique.
The attacker did not steal the private key, but carried out the attack by manipulating the transaction signing process, which shows that this is an infrastructure-level attack. The target of this attack is not the asset storage system itself, but the transaction signing process.
Forensic analysis of the Bybit incident revealed that the vulnerability was caused by a multi-signature wallet provided by a third party. The system processes and secures transactions through smart contracts and JavaScript files stored in the AWS S3 cloud.
By injecting malicious JavaScript code into the AWS S3 storage of the multi-signature wallet, the hackers were able to secretly modify the content of transactions. Therefore, although Bybit's own systems were not directly hacked, the hackers tampered with the transaction destinations of the exchange's approved transfers.
This detail exposes a serious security flaw: even if the exchange's own systems are tightly protected, third-party integration services may still become a weak link.
Lazarus Group Ranks Among Top Ethereum Holders
After this unprecedented hack, North Korean hacker groups have ranked among the top 15 Ethereum holders.
According to on-chain data, the Gemini exchange, which was previously ranked 15th, held 369,498 ETH in its Ethereum wallet. As the Bybit hacker stole more than 401,000 ETH, its holdings have now surpassed Gemini.
This fact has triggered multiple trust crises: the fact that Lazarus, a group that has led many major attacks in the cryptocurrency field, now holds such a large amount of Ethereum assets is worrying. Although initial speculation pointed to the flaws of Ethereum's decentralized nature, Holonym co-founder Nanak Nihal Khalsa refuted this view.
Given that Ethereum’s governance and consensus mechanisms rely on validating nodes rather than token holders, Lazarus’s holding of a large amount of ETH does not undermine the overall decentralization of the network.
“Lazarus still holds less than 1% of all ETH in circulation, so I don’t think it has a real impact other than the surface data. Even though the amount is large, they still account for less than 1%. I have no concerns at all,” Khalsa told BeInCrypto.
Kadan Stadelmann, CTO of Komodo Platform, agreed, emphasizing that Ethereum’s infrastructure design is the fundamental weakness.
"This demonstrates the fragility of Ethereum's architecture: bad actors can further expand their holdings by attacking exchanges or DeFi protocols, thereby manipulating market dynamics, or even influencing Ethereum's off-chain governance decisions by voting on improvement proposals. Although Ethereum's technical decentralization has not been destroyed, Lazarus has substantially undermined the market's trust in Ethereum," Stadelmann pointed out to BeInCrypto.
However, while token holders cannot influence Ethereum’s consensus mechanism, they may still be able to manipulate the market.
Potential impact and market manipulation
Although the Bybit hacker has completed the money laundering process of the stolen ETH, Stadelmann still outlined a number of possible scenarios for Lazarus to use its huge assets. The first option is a staking attack.
“The security of Ethereum’s Proof of Stake (PoS) relies on honest validators and the robustness of wallets, exchanges, and dApps. While Lazarus’ holdings have not yet been used for staking and do not threaten the blockchain consensus mechanism, this possibility does exist. However, they are unlikely to carry out the operation because the stolen funds have been tracked and marked,” he explained.
In an equally unlikely scenario, the Bybit hacker could have triggered a major market drop by selling their holdings en masse.
“The ETH they hold does give them the ability to manipulate the market, such as by selling it all at once. But this is extremely difficult to do in practice because their ETH is marked and if they try to sell it through an exchange, their assets may be frozen,” Stadelmann added.
Looking ahead, Stadelmann is most concerned about the impact of the hack on Ethereum’s Layer 2 protocol.
"Lazarus and its partners may attack Layer 2 protocols such as Arbitrum and Optimism. Censorship attacks on Layer 2 may destroy the dApp ecosystem and force the system to turn to a centralized transaction sorter, which will expose Ethereum's architectural weaknesses."
While the Ethereum network itself has not been compromised, the multi-sig wallet incident exposed deep vulnerabilities in the ecosystem.
"This attack has exacerbated ecosystem tensions and caused an imbalance in token distribution. The core question is: Will Lazarus or other hacker groups with national backgrounds launch new offensives against the Ethereum ecosystem (especially Layer2)?" Stadelmann concluded.
The incident also sparked widespread discussion on the urgency of strengthening safety standards.
Verify over trust
Khalsa believes that while the Bybit hack does not threaten the core security of Ethereum, it highlights the need to improve user security standards.
"Blaming Ethereum for this attack is like blaming the car for a car accident caused by not wearing a seatbelt. Could the car have had more safety measures? Yes, and it should have. But just as seatbelts have little to do with the car itself, this attack has little to do with Ethereum. It is a protocol and it worked exactly as designed. The problem is the lack of convenience and expertise to safely custody digital assets," he said.
The incident specifically exposed the vulnerabilities of multi-signature wallets, demonstrating that even if an exchange has tight internal security measures, reliance on third-party integrations still poses significant risks. Ultimately, if the signature process can be compromised, even the most sophisticated wallet security measures will be ineffective.
Khalsa stressed that proven security measures for self-custody exist, and multi-signature wallets are not among them. He added that it is long overdue for government agencies to advocate for better security standards and practices.
“The impact we can hope for is a serious deterrent to North Korea stealing more funds. While governments have no power to change how self-custody is done, they absolutely have a responsibility to encourage better industry ‘best practices’. This attack stemmed from a fallacy about the security of hardware wallet multi-signatures. Sadly it took this attack to bring this to light, but better standards set by government agencies could encourage safer practices without the need for a $1.5 billion loss to alert the industry,” he asserted.
The incident also exposed the need to verify transactions rather than trust third-party applications.
Solutions to front-end vulnerabilities
By injecting malicious JavaScript code into a vulnerable multi-signature wallet cloud server, Lazarus launched a sophisticated attack that allowed it to impersonate the interface and deceive users.
Cartesi co-founder Erick de Moura pointed out that the exploit revealed a key weakness: in a system designed to be decentralized, there is still an over-reliance on centralized build and deployment processes.
"The multi-signature wallet incident is a sharp reminder that the security of Web3 depends on its weakest link. If users cannot verify whether the interface they are interacting with is authentic, decentralization loses its meaning," he said.
De Moura added that there is a common misconception in the Web3 security field that smart contract vulnerabilities are the most effective way to attack exchanges. However, Lazarus's attack strategy on Bybit proves that this is not the case - the attack path of injecting malicious code into the front-end or other off-chain components is smoother.
“Hackers don’t need to break into smart contracts or manipulate the Bybit system directly. They can simply inject malicious code into the front-end interface to trick users into thinking they are interacting with a trusted platform,” he explained.
Despite these vulnerabilities, the transition from a trust-based security model to a verifiable security model is still feasible.
The need for reproducible builds
De Moura sees the Bybit incident as a wake-up call for the Web3 community. As exchanges and developers reevaluate security measures, he believes that verifiable, reproducible builds are key to preventing future attacks.
"At the heart of reproducible builds is that when source code is compiled, the same binary output is always generated. This ensures that the software that users interact with has not been tampered with by a third party during the deployment process," he said.
Blockchain technology is crucial to making this process possible.
“Imagine a system where every software build generates binaries and resources in a verifiable manner, with their digital fingerprint (checksum) stored on-chain. Instead of running on vulnerable cloud servers or computers, these builds are executed via dedicated blockchain coprocessors or decentralized computing oracles,” De Moura explained to BeInCrypto.
Users can use browser plug-ins or functions to compare the loaded front-end resource checksum with the on-chain data. A successful check indicates that the built interface is authentic, while a difference indicates a potential intrusion.
“This attack could have been avoided if multi-signature wallets had been built using a verifiably reproducible scheme. The malicious frontend would have been immediately exposed as it would not have been able to verify the on-chain record,” De Moura concluded.
This approach provides an effective alternative for users who rely on varying levels of self-hosting knowledge.
Filling user knowledge gaps
As attack methods become increasingly sophisticated, users’ lack of knowledge about secure custody of digital assets has become a major security risk.
The Bybit hack has frustrated users who believed that relying on third-party integration services would ensure the security of their assets, and has also affected the public's overall perception of cryptocurrency security.
“It shows that cryptocurrencies are still in their wild growth stages in terms of security. I think we will have better security in the coming years, but as it stands, the public’s concerns are completely justified,” Khalsa said.
Ultimately, the Web3 community must embrace diverse solutions to build a more secure and resilient ecosystem. Current possible starting points include asking the industry to improve practice standards and evaluate the integration feasibility of verifiable and reproducible building blocks.
About Cartesi
Cartesi is a powerful modular blockchain protocol that provides developers with a complete Linux environment and high-performance Rollup technology, designed to support the next generation of decentralized applications. By integrating Linux, the Cartesi Virtual Machine enables developers to build dApps using programming languages, tools, and code libraries that have been battle-tested for decades. Cartesi provides each dApp with an independent Rollup layer and dedicated computing resources, significantly improving computing scalability while ensuring decentralization, security, and censorship resistance.
