Slow Fog: If Bybit upgrades the Safe contract to version 1.3.0 or higher and implements an appropriate Guard mechanism, it may avoid the theft of 1.5 billion dollars in assets

ChainCatcher message, Slow Mist stated that on February 21, 2025, Bybit's on-chain multi-signature wallet was targeted and breached, with nearly $1.5 billion in assets quietly lost through a transaction with a "legitimate signature." Subsequent on-chain analysis revealed that the attacker gained multi-signature permissions through sophisticated social engineering attacks, implanted malicious logic using the delegatecall function of the Safe contract, and ultimately bypassed the multi-signature verification mechanism to transfer funds to an anonymous address. "Multi-signature" does not equal "absolute security"; even a secure mechanism like the Safe multi-signature wallet can still be at risk of being compromised if lacking additional protective measures.

Bybit is using version v1.1.1 (<1.3.0) of the Safe contract, which means they cannot utilize the Guard mechanism, a key security feature. If Bybit had upgraded to version 1.3.0 or higher of the Safe contract and implemented an appropriate Guard mechanism, such as specifying a whitelist address for receiving funds and conducting strict contract function ACL verification, they might have been able to avoid this loss. Although this is merely a hypothesis, it provides important insights for future asset security management.