Markets
More
Beginner's Guide
Gate
BLOG
Security analysis of Safe Wallet smart a...

Security analysis of Safe Wallet smart account after Bybit theft

2025-03-06, 12:22

Introduction

Recently, the Bybit theft shocked the crypto community and triggered a deep reflection on the security of Safe Wallet smart accounts. This article will explore in depth the role of multi-signature wallets and account abstraction technology in asset security, as well as how decentralized self-custody solutions respond to new attacks. We will analyze the entire incident, reveal the key strategies for protecting encrypted assets, and safeguard the security of your digital wealth.

Bybit hacked: How UI manipulation breaks Safe smart account multi-signature defense

On February 21, 2025, the cryptocurrency exchange Bybit suffered an unprecedented hacker attack: hackers hacked into the devices of Gnosis Safe developers, inserted malicious Java code, and disguised transaction details, causing Bybit to lose about $1.5 billion. This incident is considered one of the largest thefts in the history of cryptocurrency, involving the North Korean hacker group Lazarus Group.

According to the forensic report released by Bybit (provided jointly by Sygnia and Verichains), the attacker broke through the multi-signature mechanism through sophisticated social engineering penetration and smart contract tampering, and finally completed the fund transfer.

As the industry’s leading multi-signature wallet solution, Safe smart account has always been considered a safe fortress for crypto asset management. However, the Bybit incident exposed its fatal security vulnerabilities. The attacker did not directly attack the Smart contract, but successfully hacked into the device of the Safe Wallet developer through a series of carefully designed social engineering methods.

The hacker cleverly manipulated the transaction signing process by injecting malicious Java code into the Safe UI. When Bybit’s multi-signature wallet holders performed routine cold and hot wallet fund transfers, they saw a normal transaction interface, but actually uted a tampered malicious transaction. This UI manipulation attack method is extremely hidden, and even experienced exchange operation teams cannot detect it.

Specifically, the attacker deployed a malicious implementation contract, and then replaced the Safe contract with a malicious version through the signatures of three owner accounts. Subsequently, the malicious logic was injected into the specified storage slot using the DELEGATECALL instruction. Ultimately, the attacker successfully transferred about 400,000 ETH and other ERC20 tokens out of Bybit’s cold wallet by uting the backdoor function.

The success of this attack method not only exposes the vulnerability of decentralized self-custodial wallets at the user interface level, but also highlights the potential risks of cryptocurrency exchanges in the asset management process. Even the multi-signature mechanism, which is considered the most secure, can be breached by carefully designed UI deception.

The development history of Safe Wallet: from vision to mainstream

Looking back on the development history of Safe Wallet, it first proposed the concept of smart contract accounts to deal with the single point failure and other hidden dangers of traditional multi-signature wallets. It has indeed gained the trust of many users in recent years, but it also exposed the technical problems of this mechanism in dealing with new types of hacker attacks.

In 2018, three blockchain developers Lucas, Mariano and Thomas launched the Safe project, aiming to solve the operational complexity of traditional multi-signature wallets. At that time, enterprise-level users needed to rely on hardware keys or third-party services to manage assets, while ordinary users found it difficult to master complex private key management technology. The Safe team proposed the innovative concept of “smart contract as wallet”, allowing users to control assets directly on the chain through preset rules (such as multi-signatures, time locks) without the participation of intermediaries.

In 2020, Safe released a test network and introduced Gnosis Chain as the underlying chain, significantly improving transaction speed; after the main network was launched in 2021, its multi-signature wallet supports the ERC-4337 standard and is compatible with mainstream DeFi protocols. As of 2023, Safe has integrated more than 1,000 DApps and managed assets of more than $20 billion, becoming one of the preferred tools for enterprise users.

Safe Wallet is a decentralized multi-signature wallet based on the Ethereum blockchain developed by Gnosis, which allows users to manage assets through smart contracts. Its core design is to require multiple authorized parties to sign transactions through a multi-signature mechanism, thereby reducing the risk of a single private key leak. According to Safe Global’s official documentation, its goal is to “make every transaction safer” and support modular design. Users can customize functions, such as adding automated transactions or integrating decentralized finance (DeFi) protocols.

Its core security mechanisms are as follows:

-Multi-signature permission control: Users can set multi-signature rules such as 2/3, 3/5, and even bind hardware wallets (such as Ledger) to enhance security.

-Smart contract audit: All codes must be strictly reviewed by third-party institutions (such as Certik, Slither), and the community is encouraged to discover vulnerabilities through the “Bug Bounty” program.

-Emergency Pause Function: Administrators can freeze contract operations when anomalies are detected, but this permission is limited to specific scenarios.

Mending the Fence After the Sheep are Lost: Safe Wallet’s Remedial Measures

It is worth noting that in the Bybit theft incident, Safe Wallet’s smart contract itself was not hacked. The vulnerability mainly lies in the insufficient protection of the front-end code and developer devices, which may exceed the expectations of many users.

But in any case, this incident does expose the complexity of Safe Wallet’s multi-signature technology in actual application - the multi-signature permissions are not properly restricted, resulting in hackers bypassing multiple layers of verification by forging signatures. This incident exposed three problems:

-Developer device security: The developer’s device was hacked, allowing hackers to insert malicious code, which emphasizes the importance of physical security.

-Front-end integrity: Users rely on the front-end interface to view transaction details. If the front-end is tampered with, it may lead to the signing of malicious transactions.

-Selective malicious code: Malicious code is only activated for specific targets (Bybit signers), which increases the difficulty of detection.

According to Cointelegraph, the Safe Wallet team quickly took the following measures after the incident:

-Rebuilding and reconfiguring infrastructure: The team rebuilt and reconfigured all infrastructure to eliminate potential attack vectors and ensure security.

-Rotating all credentials: All access credentials (such as passwords and keys) have been rotated to prevent any potentially leaked access from being exploited.

-User education and warnings: Gnosis Safe advises users to remain highly vigilant and “extremely cautious” when signing transactions to prevent similar attacks.

Security reflection on crypto asset custody: continuous innovation and upgrading of security measures

The incident sounded the alarm for Gnosis Safe, but also provided an opportunity for its future improvements. After the Bybit asset theft, the Gnosis Safe team took measures such as rebuilding infrastructure, rotating credentials and user education to enhance security and restore user trust. Although the incident has sparked controversy in the industry about its security, these actions show the team’s attention to the problem and its ability to respond quickly.

Of course, this incident has prompted the industry to re-examine existing security architectures and risk management strategies.

First of all, multi-signature wallets are no longer an absolute guarantee of security. This incident proves that even if a multi-signature mechanism is adopted, the entire security may still be breached if the signer is deceived or manipulated. This requires exchanges to introduce more verification layers and independent inspection mechanisms in the transaction approval process.

Secondly, supply chain security and user interface protection are becoming more and more important. The attackers attacked by hacking into the devices of Safe Wallet developers, highlighting that the security of every link in the entire eco is crucial. Exchanges need to strengthen security audits of third-party service providers and establish stricter code review and deployment processes.

Faced with increasingly complex security threats, cryptocurrency exchanges need to continue to innovate and upgrade their security measures. For example, Gate.io, as an industry-leading trading platform, always puts user asset security first, and provides users with comprehensive asset protection through continuously optimized multi-signature wallet s, strict third-party audits, and real-time risk monitoring.

Conclusion

This theft incident reveals the complexity and vulnerability of cryptocurrency security. Even multi-signature wallets can be breached by carefully designed attacks, highlighting the importance of comprehensive security measures. Faced with increasingly complex threats, exchanges need to continue to innovate security strategies, including strengthening supply chain security, optimizing asset management and real-time monitoring s. This incident is not only a warning to Safe Wallet, but also an opportunity to promote the upgrade of the entire eco, paving the way for safer crypto asset management in the future.

Risk Warning: The cryptocurrency market is highly volatile, and new security vulnerabilities may appear at any time. Even if comprehensive protection measures are taken, there is still a risk of asset loss.


Author: Charle Y., Gate.io Researcher
*This article only represents the author’s views and does not constitute any trading advice. Investment is risky and decisions should be made with caution.
*The content of this article is original and the copyright belongs to Gate.io. If you need to reprint it, please indicate the author and source, otherwise legal liability will be pursued.
Share
Content
gate logo
Gate
Trade Now
Join Gate to Win Rewards
ETH/USDT
0.89%
BTC/USDT
0.62%
GT/USDT
0.37%
Related articles
Daily News | BTC Re-entered the $95K Mark, Analysts Say the Hopes for Altcoins to Explode Are Weakening
Market News
Bitcoin
Ethereum
Altcoins
DeFi
Daily News | BTC Re-entered the $95K Mark, Analysts Say the Hopes for Altcoins to Explode Are Weakening
BTC returned to $95K
2025-05-06, 03:51
Daily News | BTC fluctuated and pulled back again, US non-farm payrolls growth exceeded expectations
Market News
Bitcoin
Ethereum
Altcoins
DeFi
Daily News | BTC fluctuated and pulled back again, US non-farm payrolls growth exceeded expectations
Analysis shows that Bitcoin may surpass gold dominance at any time
2025-05-05, 03:32
Daily News | Bitcoin Returned to $100,000, Ethereum Rose More Than 20% in A Single Day
Market News
Bitcoin
Ethereum
Altcoins
DeFi
Daily News | Bitcoin Returned to $100,000, Ethereum Rose More Than 20% in A Single Day
Bitcoin is accelerating its transformation into a global reserve asset
2025-05-09, 03:19