Safe traced the security loophole to its Wallet UI, while Bybit closed the $1.4 billion gap and launched a bounty protocol to track bad actors.
Ethereum-based crypto wallet protocol Safe implemented “immediate security improvements” to its multi-sig solution following a cyberattack on Dubai-based exchange Bybit on Feb. 21.
North Korea’s Lazarus stole over $1.4 billion in Ether (ETH) from Bybit’s Ethereum wallet by exploiting vulnerabilities in Safe Wallet’s UI. The infamous hacking group injected hostile JavaScript code specifically targeting Bybit, siphoning more than 400,000 ETH.
To prevent further attacks, Safe placed its Wallet in lockdown mode before announcing a phased rollout and a reconfigured infrastructure.
Martin Koeppelmann, co-founder of Safe, said the team developed and shipped ten changes to the UI, via a March 3 X.com post. The protocol’s GitHub repositories showed updates to “show full raw tx data now on UI” and “remove specific direct hardware wallet support that raised security concerns”, among other upgrades.
Bybit CEO Ben Zhou discussed the incident on the When Shift Happens podcast with host Kevin Follonier, explaining that the attack occurred shortly after he signed a transaction to transfer 13,000 ETH.
Zhou mentioned using a Ledger hardware wallet but noted that he couldn’t fully verify the transaction details. The issue, known as “blind signing”, is a common vulnerability in multi-sig crypto transactions. Safe’s latest updates aim to provide signers with more detailed transaction data, according to Koeppelmann.
In response to a post from Kyber Network CEO Victor Tran regarding industry-wide security efforts, Koeppelmann emphasized the importance of collaboration but noted that immediate damage control remains the priority.
“We are still in the “putting out fire” mode – but once we have that behind us we need to come together and improve overall frontend and tx verification security,” Koeppelmann stated, adding that “This will take involvement of many parties to solve it for good.”
