11364
• Articles: @officercia • Blog: officercia.mirror.xyz • X: x.com/officer_cia
FYI OpenZeppelin just launched a user-friendly interface to make it easily accessible: safeutils.openzeppelin.com
#security #privacy #opsec
A dev machine of Safe was compromised. This allowed access to AWS and their S3 bucket. A malicious JavaScript was pushed to the bucket and eventually distributed. The malicious JS code targeted specifically the Bybit contract address. The JS code changes the content of the transaction during the signing process.
#security #investigation
This is official. Safe UI has been compromised to attack Bybit…
Link: https://x.com/officer_cia/status/1894773005961527331?s=46
#security #investigation
Being sovereign of your resources is not an easy task and the custody of own funds in Bitcoin, or any other crypto, is a burden that we are not used to. Here is an awesome solution! Make your cold wallet with washers ⬇️
Link: https://blockmit.com/english/guides/diy/make-cold-wallet-washers/
#security #opsec #privacy
Bybit CEO Ben Zhou launches LazarusBounty at http://lazarusbounty.com, the industry's first bounty site offering full transparency on sanctioned Lazarus money laundering activities, enabling bounty hunters to connect wallets, trace funds, earn instant rewards when freezes occur (with freezers receiving 5%), and access live rankings to expose bad actors. - 𝕏/@benbybit
Читать полностью…
More information: https://x.com/officer_cia/status/1894195644455080341?s=46
#investigation #security
Type: #multisig #delegateCall
Project: Bybit
Date: 21/01/25
Blockchain: ETH
Problem: Malicious delegate call upgraded storage of the multisig wallet.
The story of one of the biggest exploits in history. In this hack an attacker managed to get a full access to the Gnosis multisig wallet of the Bybit CEX, by receiving signatures from the signers for the malicious delegatecall. Bybit stated that it has signed malicious data because of the UI compromise, which is the most likely scenario. I can assume that all devices of the signers were compromised to trick them. The signers has approved a seemingly routine ERC-20 transfer as it has appeared on UI, but inside this data there was a delegatecall to the hacker's implementation, the call has a regular transfer selector, however the recipient is hacker address and amount is 0.
It's important to mention that Gnosis multisig is using upgradable pattern. When user creates a wallet - a new proxy is created, which sets it's implementation to the masterCopy address. This address stores all of the wallet logic, and is stored in slot 0. Every time when a user calls his Gnosis multisig wallet (the proxy address), the call is always delegated to the masterCopy address;
And the hacker, by tricking the signers, was able to take advantage of this upgradable design, with the malicious delegatecall to his own implementation the hacker has rewritten the masterCopy address at the storage slot 0 to his own new implementation. After the implementation is changed, the hacker can execute any code, gaining full control over the multisig wallet.
The Hacker:
1) Tricked signers to sign malicious data.
2) Executed a transaction with the signatures, delegatecall to address controlled by attacker, overwriting slot 0, changing the implementation of the proxy to malicious one.
3) Drained all tokens from the multisig to his wallet.
Discoverer: Lazarus group
Harm: 1.46 B $
link | boost | twitter
Bybit releases blacklisted wallets API to aid recovery program
Bybit is offering a bounty of up to 10% of the stolen funds for white hat hackers who successfully recover crypto from the Lazarus Group.
https://ct.com/e1ql
Much thanks for mentioning my compilation! Check it out here: https://x.com/officer_cia/status/1893001903572951516?s=46
#security #opsec
Bybit offers 10% bounty to anyone who assists in recovering funds from $1.4 billion hack — link | tl;dr
Читать полностью…
Stolen money flow: https://x.com/officer_cia/status/1893289356049211886?12
#security #investigation
How GerboxFi secures their multisig: https://x.com/0xmikko_eth/status/1893078876256899426?1
#security #opsec #privacy
North Korea is likely behind the $1.5bn Bybit hack, researchers say
Читать полностью…
Safe is working to bring Safe{Wallet} back up, as we still don’t see any indication of compromise. But we want to be 100% sure and do some additional checks together with external security experts before we do so. Without any indication of how the hack happened it’s not prudent to have the UI up.
For now best to use the CLI (if possible) to interact with Safes as this does not depend on any services and can be run locally: https://docs.safe.global/advanced/cli-overview
ByBit CEO confirmed:
- All user funds are safe;
- ByBit Treasury has enough funds to cover full loss;
- They are taking a bridge loan from partners to cover eth for now, already have 80% commitment;
- Withdrawals remain active.
1. Handle your our hosted version of UI - it can be even the case to create the UI that is built from the immutable source
2. Isolate the machine for signing, add hardware key and simulate the tx, check hex from the hardware with what is on the ui.
This tool safehashpreview.com would have stopped this attack.
#security #opsec
Hacker’s address list: https://hackscan.hackbounty.io/public/hack-address.json
#security #investigation
You asked, I answered – the legendary chat room is back! 🚀 The last one may be history, but this time, let’s make it last. Join the fun! 🎉 #ChatRoomRevival
Link: t.me/+C6RfnbB33AYzNGIy
#opsec #ai #web3 #crypto #offtopic
https://x.com/SDNYnews/status/1894115083917185039
Читать полностью…
I'll be writing an article about the wonderful gridplus wallet soon! Stay tuned!
By the way, if you manufacture similar equipment, you can send it to me for review. I finally have a shipping address in the USA!
• https://officercia.mirror.xyz/OJzFborIrcY66RAaQOGB81RCBzey99w_vbtSGKyHpKU
#security #privacy
Date: 2025-02-24
Bug bounty program was added to Remedy:
UFarm Digital
SlowMist published an article detailing the Bybit hack and existing questions. The core is that the Safe front end was tampered with and forged to achieve a deceptive effect. Questions include: Did the attacker obtain internal financial operation information in advance? Was Safe's front-end system hacked? Who initiated the signature request first? How secure is its device? Read more — link
Читать полностью…
Good write up by Rekt: https://rekt.news/bybit-rekt/
#security #privacy
All you need to know about Freysa Act IV - create your own AI agent, and stand a chance to win a prize pool of $240K
https://x.com/jinglingcookies/status/1893316084360458453
Additionally:
• Implement a bandwidth monitor (endian, lulu or littlesnitch);
• Use: dangerzone.rocks when working with PDFs;
• For multisig use: safehashpreview.com
#opsec #security
Yet another amazing research on topic: https://x.com/dhkleung/status/1893073663391604753
#security #privacy
Bybit hacker (following the Zachxbt and Arkham - that’s Lazarus) becomes the 14th largest ETH holder, owning approximately 0.42% of total supply—more than Fidelity, Vitalik, and over twice the amount held by the Ethereum Foundation: https://x.com/officer_cia/status/1893038960412131683?s=46
#security #investigation
Which tools you should implement after this Bybit hack? Here they are: https://x.com/officer_cia/status/1893001903572951516?s=46
#security #privacy
