The Bybit Crypto Hack – An Analysis by Hex Trust

On February 22, the crypto industry was rocked by a staggering hack that resulted in the loss of approximately $1.4 billion in ETH. Bybit employed Safe—a smart contract wallet leveraging a multi-signature scheme requiring three out of six signers—to secure its assets. Despite this, the platform was compromised through a series of sophisticated steps that ultimately granted the attacker unauthorized control of the wallet’s funds. Notably, the attack is similar to previous incidents at WazirX ($230M) and Radiant Capital ($50M), both attributed to North Korean threat actors.

How the Exploit Unfolded

Safe smart contract wallets allow transactions to be executed using the Exec Transaction method, which can authorize standard transfers or other executions on the wallet contract.

The Bybit hack was a multi-layered exploit:

• Malicious Transaction Creation: The attacker crafted a transaction designed to appear routine.
• Signer Manipulation: The Safe user interface (UI) was manipulated to present the malicious transaction as a standard transfer of 30,000 ETH to Bybit’s ETH hot wallet.* Signers, accustomed to routine approvals, did not notice the discrepancy.
• Ledger Signing: Even though signers used offline Ledger devices in accordance with internal approval protocols, the decoded transaction data deviated from what typically appeared in regular transactions.
• Proxy Redirection: The actual malicious transaction included data to redirect the wallet’s proxy contract logic to a new malicious contract created three days before the attack.
• Deceptive On-Chain Appearance: The final transaction appeared normal on-chain due to the use of the ExecTransaction method, which masked the redirection and concealed the exploit.

*At the time of the investigation, it has not been verified yet if the UI was manipulated through intruding Safe or Bybit systems.

‍

What Bybit signers expected vs. what actually occurred: The Safe UI could have been manipulated to display misleading transaction details, causing signers to inadvertently approve a different transaction.

The Human Factor: How Bybit Employees Were Manipulated

In this incident, human oversight played a critical role. Employees observed what appeared to be a routine transaction on the SAFE Web UI—30,000 ETH moving from a cold wallet to a hot wallet—while in reality, they had approved an upgrade to the wallet’s proxy contract. Key factors that contributed to the breach included:

• Manual approval of transaction details, despite secure offline storage of private keys on Ledger devices.
• A design that allowed the malicious transaction to mimic regular activity on the user interface.
• Three of the six signers approved the transaction without double-checking and decoding the details on their Ledger devices, opting instead to rely solely on the SAFE UI for verification
• A critical red flag being overlooked: the operation type in Exec Transaction was set to ‘1’ (delegate operation) instead of ‘0’ (standard transfer).

Source: EtherScan - Previous transaction from Bybit’s cold wallet using Exec Transaction Method to transfer assets.

Source: EtherScan - Malicious transaction from Bybit’s cold wallet using Exec Transaction Method to change smart contract proxy.

How Hex Trust’s Infrastructure Could Have Prevented This

Fully-licensed custodians have an intense focus on compliance, risk management, regulation, governance, security, and client servicing. These fundamental pillars, long proven in traditional finance, are integral to the safekeeping of digital assets. Hex Trust’s teams of risk management and security specialists continuously analyze both internal and external risks, ensuring that customer assets remain protected through robust processes, contingency measures, and an insurance safety net.

With reference to the Bybit hack, Hex Trust’s platform would have been immune to this type of exploit, due to several key design decisions:

• No Reliance on Smart Contracts: Hex Safe does not utilize multi-signature smart contract wallets. This design choice eliminates risks associated with proxy contract upgrades, which can be manipulated in a single transaction.
• Strict Transaction Controls: Hex Trust’s system prevents clients from transferring ownership of funds or accessing private keys directly. Withdrawals are executed directly by Hex Safe using a standard transfer method, eliminating reliance on proxy mechanisms like ExecTransaction. 
• Enhanced Transaction Decoding and Policy Enforcement: Hex Safe decodes all smart contract calls and sends the decoded content of the transaction to UI, policy verification and approval. Transactions that cannot be decoded, (e.g. due to an unknown smart contract ABI) are clearly flagged as risky and treated as "blind signing." In addition, users can request to activate  transaction policies to automatically reject transactions that cannot be decoded. 
• Wallet Segregation and Independent Controls: Hex Trust’s wallets are segregated with independent keys and controls per wallet (e.g., Vault/Blockchain Asset), ensuring that even if one wallet is compromised, other assets remain secure.
• Cryptographic Integrity: Once policies are verified, the transaction request is protected cryptographically so that nobody can alter it.
• Rigorous Approval Verification: Hex Safe’s streamlined mobile app interfaces require comprehensive verification of transaction details. This minimizes the risk of deceptive approvals by enabling both initiators and approvers to review the full transaction context.

These design decisions combine to create a robust, multi-layered defence that protects digital assets and provides clear, transparent, and secure transaction processes—ensuring that such exploits are effectively prevented.

Key Takeaways for the Industry

This incident reinforces several important lessons:

• Clarity is Crucial: Transactions that are difficult to decode and understand pose significant risks. A clear, intuitive interface is essential to prevent manipulation. This could be achieved in Hex Safe via Wallet Connect where the dAPP is connected to Hex Safe and the transaction is built on the dAPP and signed by Hex Safe. 
• Human Oversight Must Be Supported by Technology: While human error cannot be completely eliminated, systems should be designed to minimize the reliance on manual verification where possible.
• Security by Design: Robust transaction controls and cryptographic verification must be integral to custody infrastructure. At Hex Trust, these principles are at the core of our approach.
• Continuous Vigilance: As hackers evolve their methods, so must our defences. Regular audits, threat assessments, and updates to security protocols are critical.

Ensuring Trust and Security

The Bybit hack is a reminder of the vulnerabilities inherent in digital asset management. At Hex Trust, we are committed to ensuring that our infrastructure not only meets but exceeds industry standards for compliance, risk management, governance, and security. By prioritizing the safekeeping and segregation of digital assets, we empower our clients to navigate the evolving crypto landscape with confidence.