Crypto hacks are predictable, both in terms of their frequency and methodology. When the target is a centralized exchange, you can pretty much write the script: Employee opens dodgy email. Employee gets phished. Hacker gains multisig control and diverts funds to their own wallet.
Which is what makes the Bybit hack so unusual. It’s not the size of the heist that’s noteworthy, significant as the $1.5B haul was, but the manner in which it was perpetrated. Normally, when the obligatory post-mortem is conducted by the exchange in question, it’s a mea culpa as a litany of opsec failures is laid bare. But in this case Bybit has walked away with its reputation largely intact, thanks to the widespread belief that it did little wrong.
While the sophisticated and unprecedented nature of the attack has given Bybit a hall pass, it hasn’t prevented some hard questions being posed about the industry’s default security model. If cold wallet storage secured by multisig isn’t enough to keep the world’s best hackers at bay, what is? It’s a conundrum that’s prompted industry-wide coordination from exchanges and custodians, who have a collective interest in ensuring February’s headline-grabbing heist remains a one-off.
Lazarus Group Resurrects Opsec Concerns
Hacks are as old as crypto itself – in fact, they even predate the internet itself, if you want to include phone phreakers in the list of mischief-makers exploiting technology for their own ends. All of the first wave of Bitcoin exchanges, from Mt Gox to Vircurex and Btc-e to Bitstamp, suffered a major incursion at some point – sometimes fatally, rendering them unable to continue trading.
The difference was that back then – and indeed up until very recently – the fault could invariably be traced back to human error of some kind; clicking a dodgy link; inadvertently publishing a private key to Github; misconfiguring a smart contract. But the Bybit hack hit different. Its employees followed proper procedure – the same procedure that had worked countless times in the past for them and every other exchange following the same methodology – and yet they still got rekt.
The root of the problem, as countless postmortems have revealed, was a bug in the third-party software developed by Safe, which is relied on by centralized and decentralized crypto businesses alike for treasury management. It’s since been patched, but its ability to have gone undetected for years has caused understandable consternation across the industry. If Safe isn’t safe, what is?
Don’t Trust, Verify
While Bybit has largely emerged from the debacle with its reputation intact, by its own admission it was not entirely blameless: it shouldn’t have trusted Safe’s software to be impregnable. As the old crypto maxim goes, “Don’t trust – verify.” As the industry searches for solutions to the attack vector that could have crippled any one of their number, the culprit isn’t a third-party software developer. Rather, it’s the practice of relying on third parties to keep systems bug-free and unexploitable at all times.
So what’s the fix? While the industry has yet to settle on a single solution – which is perhaps a good thing, given that doing so would create a single point of failure – there is a growing consensus emerging. Security experts (who emerge like cockroaches in the wake of a disaster to dispense sage advice) agree that exchanges need to implement new procedures.
Hindsight and Hackers
Needless to say, there has been no shortage of suggestions from security experts on how to prevent another major exchange hack from happening. There is broad consensus that the starting point should be to utilize enhanced multisig with timelocks in place. Experts propose implementing mandatory timelocks for critical operations, such as contract upgrades or large withdrawals.
A timelock would effectively provide a buffer period for security teams to review and halt suspicious transactions. In the case of Bybit, the attacker manipulated the multisig process by proposing a disguised malicious transaction. This could have been caught had a delay mechanism been in place allowing for manual or automated verification, akin to the timelocks that are in place on bank vaults.
The other area where there’s a concerted push for greater security concerns transaction signing, with a move to air-gapped systems that are isolated from the internet to reduce the risk of external interference. Other suggestions include harnessing machine learning for real-time threat detection to pinpoint anomalies before transactions are executed. This includes verifying recipient addresses against whitelists and attempting to detect unusual patterns of behavior.
Finally, Multi-Party Computation (MPC) has been proposed with the goal of ensuring private keys are split and encrypted across multiple parties. The idea is to eliminate single points of failure and ensure that a single compromised device can’t authorize a transaction.
An Industry-Wide Challenge
Useful as these technical solutions may be in fostering greater security, they need to be combined with better UX that makes it easier for exchange operators to understand precisely what they’re authorizing. The cause of the Bybit hack ultimately comes down to “blind signing” in which signers approved a transaction without fully understanding its implications due to a spoofed interface. Fixing this calls for parsing complex smart contract interactions in human readable terms.
What’s clear is that there’s no simple fix to the problem: complex challenges necessitate complex solutions. From adopting standardized security protocols across exchanges to greater real-time sharing of threat intelligence, there’s a lot that must be done to ensure Lazarus’s $1.5B heist remains their high watermark as opposed to a prelude to even more dastardly deeds.
This content is the opinion of the paid contributor and does not reflect the viewpoint of FinanceFeeds or its editorial staff. It has not been independently verified and FinanceFeeds does not bear any responsibility for any information or description of services that it may contain. Information contained in this post is not advice nor a recommendation and thus should not be treated as such. We strongly recommend that you seek independent financial advice from a qualified and regulated professional, before participating or investing in any financial activities or services. Please also read and review our full disclaimer.