
When Multisig Becomes a Single Point of Failure, Where Should Safe Wallet Users Turn?
TechFlow Selected TechFlow Selected

When Multisig Becomes a Single Point of Failure, Where Should Safe Wallet Users Turn?
When multisig is no longer secure.
On February 21, 2025, the cryptocurrency exchange Bybit suffered a hacker attack that resulted in the theft of approximately $1.5 billion in assets. This incident not only set a new record for stolen cryptocurrency but also shocked the entire industry by bypassing multi-signature security mechanisms—long considered the industry standard.
Post-incident analysis revealed that hackers compromised the developer devices of Safe and modified the front-end JavaScript code on the Safe{Wallet} server. When Bybit’s multi-sig signers logged in, the interface displayed legitimate transactions, but what they actually signed were entirely different operations, leading to the loss of funds.
This event has prompted deep reflection: Is the multi-sig wallet itself the problem—or is it how we use it?
The Blind Spot of Security: The Invisible Single Point of Failure
After the Bybit incident, one question emerged: Is Safe truly secure?
To be clear, the Safe smart contract itself is secure. It is fully open-source, audited by multiple security firms, and has no major vulnerabilities in its operational history. However, security extends beyond just contract code.
In reality, risk spans a long chain of trust. When using a Safe wallet, signers rely on numerous components: signing devices, operating systems, browsers, wallet extensions, Safe UI, RPC nodes, blockchain explorers, hardware wallets, and their associated software. This chain is too long—attackers only need to compromise one link to reap massive rewards.
In the Bybit case, attackers targeted an apparently minor component: the web front-end. They infiltrated the Safe{Wallet} server and replaced the JavaScript. Users believed they were signing normal transactions, but in fact, they authorized malicious upgrades (changing CALL to DELEGATE_CALL).
Further analysis reveals that such vulnerabilities stem from "intersection points" within the trust chain. Multi-sig wallets are meant to establish a security chain where multiple parties independently verify each step, with each signer ideally using separate tools and verification methods. But in practice, signers often share the same web interface, the same set of RPC nodes, similar hardware wallets, and nearly identical validation processes.
This highlights a critical security flaw: when all signers depend on the same web interface, attackers need only control this shared single point to deceive everyone simultaneously. Importantly, this isn't a unique flaw of Safe—it's a widespread blind spot commonly overlooked in real-world multi-sig implementations.
These shared points are weak links in the security chain. Attackers need only breach one intersection to affect all parties.
The profound lesson here is that security is not a tool, but a systematic practice. Having top-tier multi-sig tools alone is insufficient; the key lies in how you build comprehensive security workflows around them.
This understanding is especially urgent for institutions and exchanges. Data from 2024 shows that crypto theft losses surged 67% year-on-year to $494 million, while the number of victim addresses increased by only 3.7%. Attackers have clearly shifted toward “precision strikes” on high-value targets, with the largest single theft reaching $55.48 million. Once your asset scale reaches institutional levels, you become a prime target for hackers—any security compromise could lead to disaster.
Bybit’s loss serves as the most sobering lesson and a wake-up call for the entire industry: true multi-sig security requires multiple independent verification paths—not just multiple signers. If everyone relies on the same information source, no number of signers can ensure real security.
In other words, Safe can be highly secure—but only if used correctly and with full awareness of every component in the security chain. This is especially critical for high-net-worth users.
MPC + Safe: A Stronger Security Combination?
If the $1.5 billion loss at Bybit taught us anything, it’s that we must rethink the essence of security: the strength of a multi-sig wallet lies not in the number of signers, but in the independence of verification paths.
When everyone views transactions through the same web interface, a perfect single point of failure is created. Hackers need only compromise this one point to deceive all signers—that was the truth behind the Bybit incident.
So how can we maintain the benefit of decentralized permissions in multi-sig setups while strengthening the independence of verification paths?
The combination of MPC and Safe may be the answer. This hybrid approach inherits the strengths of both technologies and could establish a fundamentally new security paradigm—one that directly addresses the issue of "shared trust points" in current multi-sig practices.
Cobo Portal’s MPC+Safe security design is built on two core principles:
Decoupled Verification Paths
In traditional multi-sig setups, all signers share the same interface, RPC nodes, and transaction parsing logic—creating dangerous centralized trust points. A more secure solution breaks this model by establishing isolated verification systems:
-
Separate signing infrastructure (e.g., MPC or HSM)
-
Self-hosted RPC node network (not relying on nodes provided by Safe)
-
Independent transaction parsing service layer (ensuring each signer sees the actual transaction content)
-
Dedicated approval interface completely isolated from the main web UI
Cobo’s “Safe{Wallet} Co-Sign” solution is developed precisely on this principle. It acts as one signer within a Safe multi-sig wallet but operates entirely independently from other signers.
Its working mechanism is as follows: Cobo Portal pulls pending transactions from Safe services, reviews them through an independent risk control system, signs via MPC or fully managed HSM wallets, and then returns the signature to the system.
In the context of the Bybit incident, even if hackers hijacked the Safe interface, Cobo’s independent verification system would still display the real transaction content and issue risk alerts.
Principle of Least Privilege
As a security product from Cobo, the Cobo Safe Permission Separation module implements a simple yet powerful concept: cold wallets should never require full permissions.
Take an exchange as an example. The primary function of a cold wallet is to transfer funds to hot wallets. Yet currently, whenever the hot wallet needs funds, administrators must activate the cold wallet’s full control—exposing unnecessary risk.
Cobo Safe offers a straightforward solution: create a special "restricted operator" role with only one permission—to send pre-approved whitelisted tokens to a designated hot wallet address. Day-to-day operations can be conducted through this low-privilege account, minimizing the need to access the main Safe wallet. Users can also customize blacklists and whitelists within Safe, including restrictions on callable target contracts, further tightening permission controls.
This means that even if hackers fully compromise the operator account, the only action they can perform is transferring funds to the exchange’s own hot wallet—no ability to modify wallet settings, no transfers to external addresses, and no access to non-whitelisted tokens.
Would the $1.5 Billion Theft Have Happened If Cobo Portal Had Been Used?
Once we understand how attackers operate, we can design effective defenses. Let’s simulate the attacker’s path and examine how Cobo Portal would have responded during the Bybit attack scenario.
Scenario Reenactment
Attack Step 1: Malicious JavaScript injected into Safe front-end
-
Under standard Safe multi-sig: All signers use the same compromised interface and see disguised transaction content;
-
Under Cobo Safe{Wallet} Co-Sign: Although the Safe interface is attacked, Cobo’s independent approval app remains unaffected and displays the real transaction content.
Attack Step 2: Fake transaction requests signatures
-
Under standard Safe multi-sig: Signers see a “transfer to hot wallet” request but unknowingly authorize a contract upgrade;
-
Under Cobo Safe{Wallet} Co-Sign: The independent verification path parses the actual transaction as a Delegate Call operation, triggering a risk alert in the app.
Attack Step 3: Collect signatures to execute attack
-
Under standard Safe multi-sig: Once enough signatures are collected, attackers gain control of the contract;
-
Under Cobo Safe{Wallet} Co-Sign: Real transaction content and warnings allow signers to detect the attack.
Attack Step 4: Bypass multi-sig defenses
-
Under standard Safe multi-sig: After gaining contract control, attackers can drain all assets;
-
With Cobo Safe integrated: Even if earlier defenses are breached, Cobo Safe’s permission separation ensures attackers can only perform pre-authorized actions (e.g., transferring to whitelisted hot wallets).
With Cobo Portal’s independent verification layer, the Bybit attackers would have been blocked at multiple stages. Notably, although Cobo Safe{Wallet} Co-Sign and Cobo Safe are separate products, combining them delivers a higher level of security. If the independent verification layer is breached, the permission separation system still effectively limits potential damage. Through this defense-in-depth strategy, the $1.5 billion loss could have been entirely prevented.
Security is like insurance. People only realize its importance after a disaster strikes.
Unfortunately, the industry has already paid astronomical prices, but these incidents offer us an opportunity to rethink crypto security: it’s an asymmetric game. Attackers need only find one vulnerability; defenders must protect every single point. When billions of dollars are at stake, elite hackers—and even nation-state actors with unlimited resources—will spend months or years studying your system to find that one weakness.
This is exactly why Cobo developed the Safe{Wallet} Co-Sign solution. We aimed to solve a core problem: How do we eliminate single points of failure? The answer lies in重构ing the entire verification process to achieve multi-layered protection. For institutions managing large assets, security is never the opposite of efficiency—it is the prerequisite. Without security, efficiency doesn’t matter.
We’ve been using this system internally at Cobo. After repeated security incidents across the industry, we realized these best practices shouldn’t remain exclusive. They should benefit more users. That’s why we’ve productized the solution and are offering a 30-day free trial. We hope it not only protects your assets but also evolves through your feedback into an even stronger security framework.
Security is not a one-time investment, but a continuously evolving process. As threats escalate, defenses must keep pace. Only through sustained focus and commitment can we truly withstand an ever-changing threat landscape.
If you manage large crypto holdings or are a high-net-worth individual, we invite you to try the Cobo Safe{Wallet} Co-Sign solution and share your experience with us. In the world of crypto, security will always be the most important thing.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














