
Deep Dive into the Bybit & Safe{Wallet} Attack: How Enterprises Can Build an "Encryption Security Fortress"?
TechFlow Selected TechFlow Selected

Deep Dive into the Bybit & Safe{Wallet} Attack: How Enterprises Can Build an "Encryption Security Fortress"?
Fundamental vulnerability: "What you see ≠ What you sign."
Author: Kane Wang, Safeheron CTO
Bybit Incident Overview
At 22:13 on February 21, 2025 (Singapore time), the Bybit team initiated a transfer from a cold wallet to a warm wallet using the multi-signature process of Safe{Wallet}. CEO Ben verified the destination address via Safe{Wallet}, but during final confirmation with Ledger, only contract interaction parameters were displayed instead of the full transaction details. This gap allowed attackers to exploit the system and successfully steal nearly $1.5 billion in assets.
On February 26, 2025, Sygnia released an investigation report confirming that hackers had deployed malicious JavaScript code targeting Bybit into Safe{Wallet}'s AWS S3 storage bucket. The primary purpose of this code was to effectively alter transaction content during the signing process. Meanwhile, Safe{Wallet} stated that its smart contracts were not compromised.
This incident bears similarities to the recent attack that caused Radiant Capital to lose $4.5 million, sounding a major alarm for the entire digital asset security industry.
Kane Wang, CTO of Safeheron (Asia's only open-source MPC-based self-custody digital asset security provider), has also conducted an in-depth analysis of this event:
Root Vulnerability: "What You See ≠ What You Sign"
The Bybit incident exposed a fatal flaw in wallet architecture: a significant gap between displayed transaction intent and actual executed operations, a problem prevalent across many wallet systems:
A. Compromised Infrastructure
Attackers hijacked the wallet’s UI (as in this case with Safe{Wallet}) or backend, enabling users to unknowingly approve malicious transactions disguised as legitimate ones. While smart contract-based wallet solutions (like Safe{Wallet}) excel at key sharding, they fail to fully address transaction integrity verification.
B. Ecosystem Compatibility Issues
The Bybit incident revealed critical flaws in ecosystem compatibility: even when using secure devices like Ledger, poor integration between different systems can still undermine security. In this attack:
· Safe's UI was tampered with: Attackers manipulated the displayed destination address to appear legitimate.
· Ledger's offline verification failed: As the last line of defense, Ledger failed to enforce a reliable "what you see is what you sign" mechanism. Due to poor compatibility with Safe's UI, Ledger only showed contract interaction parameters without clearly displaying transaction details, leaving critical information unverified.
The combination of Ledger and Safe was intended to enhance fund security through a "cold + warm" approach. However, we found significant gaps in integrated, defense-in-depth security design, exposing multiple unforeseen blind spots.
This incident underscores the need for institutional-grade wallets to adopt higher-level security measures to ensure transaction authenticity and resist sophisticated attacks in high-risk environments. Employing multi-layered security solutions is especially crucial against increasingly advanced attack techniques.
How Enterprises Can Build an "Encryption Security Fortress"
1. Multi-Device Signing:
Different signers should use separate hardware devices during transaction signing to avoid concentrating all signing operations on a single device, thereby reducing single-point failure risks.
2. Risk Exposure Focus and Systemic Protection:
Security infrastructure providers and exchanges should systematically identify risk exposure points and minimize them. In the Ledger+Safe setup, if Safe’s official UI is maliciously altered or subjected to network hijacking, risk exposure increases significantly. Exchanges must clearly understand which components are vulnerable when selecting solutions and strengthen defenses accordingly. For example:
· Security infrastructure providers can centralize risk exposure within their App, ensuring it has independent "what you see is what you sign" capability and TEE (Trusted Execution Environment) verification. Even if the server is hacked, customer assets remain secure. That is, even if internal personnel turn malicious or the provider is breached, as long as the wallet App functions normally, the provider cannot steal user keys or transfer customer assets.
In addition, providers should implement DevSecOps principles—secure app build environments, strict approval and validation processes—to further enhance system security. Risk exposure reduction and DevSecOps implementation are core principles consistently upheld by Safeheron.
· With cold wallet solutions, the cold wallet itself becomes the exposure point and should therefore offer user-friendly "what you see is what you sign" functionality, whitelist capabilities, and secure firmware updates to ensure safe usage.
3. Decentralized Fund Management:
Concentrating large sums in a single wallet poses high risk; once compromised, total loss may occur instantly. Therefore, funds can be managed in layers based on usage frequency—using "hot," "warm," and "cold" wallets. Even within cold wallets, further stratification of fund usage enables effective isolation.
If Bybit had distributed its $1.5 billion worth of ETH across wallets with varying usage frequencies, attackers would not have achieved a one-shot victory, potentially avoiding catastrophic losses—or even escaping unscathed—as attackers might have targeted other larger entities instead.
Institutional Wallet Security: Architecture Determines Survival
Building secure institutional asset management systems requires continuous investment. We predict future digital asset management trends will involve hot wallets adopting MPC-TSS multi-signature management, warm wallets combining multi-sig with risk control policies for fine-grained operations, and cold wallets utilizing institutional-grade solutions to achieve true offline "what you see is what you sign," continuously constructing multi-layered protection frameworks for user and institutional asset security.
About Safeheron
Safeheron is a digital asset security custody solution provider based on MPC+TEE and the world's first and Asia's only company to open-source a C++ MPC threshold signature protocol library.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














