The recent $1.5 billion hack of cryptocurrency exchange Bybit has spotlighted vulnerabilities in the Safe{Wallet} system, challenging assumptions about the security of multi-sig wallets.
On February 21, 2025, Bybit suffered a massive security breach resulting in the theft of approximately 400,000 Ethereum tokens, valued at $1.5 billion. This incident is considered the largest digital theft to date.
The Bybit Hack: A Social Engineering Breakdown
The attackers employed a sophisticated social engineering tactic targeting a developer associated with Safe{Wallet}, a multi-signature wallet service used by Bybit. They tricked the developer into downloading a malicious Docker project, which compromised the developer’s machine.
Once inside, the hackers accessed Safe’s Amazon Web Services (AWS) code repository. They injected malicious JavaScript into the Safe{Wallet} user interface codebase, specifically targeting the interface used by Bybit. This code was designed to manipulate transaction data during the signing process.
During a routine transfer from Bybit’s cold wallet to a warm wallet, the compromised interface presented falsified transaction details to the signers. While the interface displayed legitimate information, the underlying transaction logic had been altered to redirect funds to the attackers’ addresses. The signers, deceived by the manipulated interface, unknowingly authorized the malicious transaction.
Safe{Wallet}: Perceived Security vs. Reality
Safe{Wallet} is renowned for its multi-signature (multisig) system, requiring approvals from multiple authorized parties to execute a transaction. This structure is designed to enhance security by ensuring no single individual has unilateral control over the assets.
However, the Bybit hack revealed a critical vulnerability: the practice of blind signing, where signers approve transactions without independently verifying the underlying details. In this case, the signers relied solely on the compromised interface, which misrepresented the transaction’s true intent. This lack of independent verification allowed the attackers to execute the fraudulent transfer without detection.
Cobo’s Solution: Enhancing Safe{Wallet} Security
Of course, the Cobo tweet is self-serving – as, in response to such vulnerabilities, the company has introduced the Cobo Safe{Wallet} Co-Signer, an enhancement to the standard Safe{Wallet} that adds an additional, independent layer of security. So how does it work?
Independent Verification: Unlike traditional multisig setups where all signers operate within the same environment, Cobo’s Co-Signer functions as a separate, autonomous entity. This means it can independently verify and approve transactions, adding an extra checkpoint to detect and prevent unauthorized or fraudulent activities.
Enhanced Security: By acting as an additional, independent approver, the Co-Signer reduces the risk associated with potential internal collusion or compromised signers within the primary environment. This separation ensures that even if one layer is breached, the Co-Signer can serve as a fail-safe to protect the assets.
This extra layer of oversight significantly enhances the overall security of the vault.
Conclusion
The Bybit hack serves as a stark reminder that even systems perceived as secure can harbor vulnerabilities, particularly when human elements like social engineering come into play. Given the sophistication of the Bybit hack, though, it’s unclear if an additional external signer would have made a difference, as the interface being presented to the Bybit signatories had been compromised at an infrastructure level likely beyond what a co-signer would have had oversight on.
Even so. enhancements such as Cobo’s Safe{Wallet} Co-Signer offer additional layers of protection, emphasizing the need for continuous innovation and vigilance in cryptocurrency security measures.
