Security Community: Bybit attackers use "social engineering" techniques to mislead reviewers into mistaking contract changes for transfers

2025-02-22 12:46:10

Collection

ChainCatcher message, according to a post by the security community Dilation Effect on platform X: "Compared to previous similar incidents, in the Bybit incident, only one signer needed to be compromised to complete the attack, as the attacker used a 'social engineering' technique.

Analyzing on-chain transactions reveals that the attacker executed a malicious contract's transfer function through delegatecall. The transfer code modifies the value of slot 0 using the SSTORE instruction, thereby changing the implementation address of Bybit's cold wallet multi-signature contract to the attacker's address. The transfer here is very clever; it only requires dealing with the person/device initiating this multi-signature transaction, and the subsequent reviewers will significantly lower their guard when they see this transfer. Because a normal person seeing a transfer would think it's just a transfer, who would know it's actually changing the contract? The attacker's methods have evolved again."

(Source Link)

Related tags

Bybit multi-signature contract

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.

Bybit theft incident tracking

On the evening of February 21, 2025, Bybit suffered a hacker attack, with over $1.4 billion worth of cryptocurrency assets stolen. How will the incident unfold, and what subsequent impacts will it bring?

Column