Comment by fresh_geezer
4 months ago
Here is what the CEO wrote on X:
"Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address."
[yes, it says 'musked', assuming they meant masked. @safe is https://safe.global/wallet]
Unfortunately most hardware wallets can't interpret EVM smart contract transactions and asks you to sign a big binary blob that is supposed to match what you see on your computer screen (it's literally called blind signing). He said in the tweet and later on a live stream that they verified that the URL was correct, and there were several signers in different locations on different machines.
Logically the UI must have been manipulated for all of them, which I can think of a few different ways to do:
- The signing link was replaced somehow over whatever medium they sent it to each other, pointing to something that either looks like the original UI (perhaps IDN homograph domain) or is the actual site if it has some weakness that allows script injection to manipulate the page
- The server side was exploited to serve a manipulated page
- Client side malware that injects something in the browser to manipulate the page
- Some kind of network/DNS attack combined with mis-issued TLS certificate (or injected CA)
It points to some level of sophistication and long-term observation of their internal systems to know what the process looks like and devising an attack.
Will be interesting to read when/if they release a full analysis.
They could have used a hardware wallet like the Lattice1 from GridPlus, which actually shows the function parameters on a big screen instead of blind signing.
Oh, when I read this yesterday I assumed "musked" was a clever play on the idea that someone is tricked into agreeing to things against their interests.
Is it possible that this was an inside job?
One of the links says the following:
> According to crypto security firm Groom Lake, a Safe multisig wallet was deployed on Ethereum in 2019 and on the Base layer-2 in 2024 with identical transaction hashes. Ethereum’s alphanumeric transaction hashes are 64 characters long, so deploying the same smart contract transaction hash twice should be mathematically impossible.
> The same transaction hash appearing on both Ethereum and Base indicates an attacker could have found a way to make a single transaction valid on more than one network or could be reusing crypto wallet signatures or transaction data across networks, pseudonymous Groom Lake researcher Apollo said.
The quote is incorrect. If I deploy the same smart contract to two different EVM chains, from the same wallet, with the same nonce (pretend it's the first transactions I'm doing with this wallet on each chain, so nonce 0), then the transaction hash will be the same on both chains. That's not odd.
The contract address will be the same but the transaction address should be different because transactions include the chainid in them. Otherwise you could easily replay transactions on other chains.
Are we sure he didn't mean the transaction got DOGEd?