Who should be responsible for the 1.5 billion dollars? A deep dive into the industry risks under Safe security issues

Author: Fairy, ChainCatcher

Editor: TB, ChainCatcher

The largest theft in history: Bybit was hacked for $1.5 billion, and the final issue surprisingly appeared in the most trusted Safe on Ethereum? Safe ultimately failed to be as "Safe" as its name suggests.

As the largest smart account ecosystem on EVM, Safe hosts over 8 million smart wallets, storing hundreds of billions of dollars in crypto assets, with over 200 projects built on its foundation. Many DAOs, foundations, and large NFT projects regard it as a "vault-like" underlying custody solution. If such top-tier security infrastructure can be undermined, where does crypto security go from here?

Can Safe hackers steal everyone's money?

According to the investigation report, it was not the Safe smart contract or front-end code itself that had vulnerabilities, but rather the attackers infiltrated the devices of Safe{Wallet} developers to initiate disguised malicious transactions. The attackers injected malicious code into the front end, intercepting and altering transaction parameters, thereby achieving fund theft.

In other words, theoretically, Safe hackers could inject different malicious codes targeting different users, meaning that all projects relying on its front end, API, and other user interaction services could face similar risks. However, the attackers chose Bybit as their target, the "fattest sheep," temporarily sparing other users.

In other words, not only external hackers but also internal members of the Safe team could theoretically exploit similar methods to steal funds from Safe.

Flowchart of the Bybit attack incident, image source: SlowMist

Whose responsibility is it? Who compensates?

The security of Safe is directly related to a significant portion of the industry. If a similar incident were to happen to us, could we expect a wallet tool like Safe to provide compensation? Let's look at Safe's stance from the Bybit incident.

Reviewing the terms and conditions before using Safe, we find that in Article 18 it states:

(1) If the Safe{Wallet} application or service is provided to users for free, CC shall only be liable for intentional, gross negligence or CC's fraudulent concealment of significant or legal defects that may exist in the Safe{Wallet} application or service.

(2) If the Safe{Wallet} application or service is not provided to users for free, CC shall only be liable in accordance with (1) and for damages resulting from the violation of fundamental contractual obligations. CC's liability is limited to foreseeable, typically occurring damages. The compensation amount shall generally not exceed the total fees paid by the user to Safe in the year the damage event occurred, and damages resulting from violations of non-fundamental contractual obligations are excluded.

Additionally, in Article 20 it states:

If we fail to provide services or fulfill our obligations under this agreement due to actions beyond our reasonable control (including the occurrence of force majeure events) or if there is a delay in providing services, we shall not be liable to you, nor shall it be considered a breach of this agreement.

"Force majeure events" include but are not limited to: terrorist attacks, hacking attacks or cyber threats, civil war, riots or uprisings, war, threats of war or preparations for war, armed conflict, sanctions, embargoes, or severance of diplomatic relations.

From the terms, the definition of responsibility is somewhat vague. If Safe acknowledges that this incident constitutes gross negligence, then it will bear responsibility. However, according to Article 20, if the hacking attack is considered a "force majeure event," Safe would not be responsible for failing to fulfill its obligations under the agreement.

Community members have also expressed related views:

• Arthur, founder of DeFiance Capital, stated: "There won't be and shouldn't be compensation; it's a free service, not suitable for managing institutional-level funds. I've been saying for years that an ordinary multi-signature wallet is insufficient for managing large amounts."
• X platform user @jiyang0924 commented: "Safe probably won't have to compensate a penny; I learned from working at CEX that all suppliers, including Cobo and Copper, have disclaimers in their service agreements. Of course, I understand that practically, custodians can't promise compensation, otherwise the risk-reward balance would be off."

While Safe may evade legal responsibility, from a moral standpoint, Safe should consider making some compensation.

However, to date, they have not mentioned this matter…

The road to security is still long

Although Safe has taken comprehensive countermeasures and rebuilt all infrastructure, this incident has sounded an alarm for the entire crypto industry, revealing a harsh reality: security is not just a technical issue, but an ecological one.

The core of the problem lies in the necessity to establish multi-layered verification and auditing processes while strengthening monitoring and early warning mechanisms for proprietary assets. Relying on a single software or platform to handle financial processes worth hundreds of millions or even billions is akin to dancing on the edge of a cliff. The security management model for large assets urgently needs a thorough upgrade.

Security is the area that the crypto industry should delve into the most. The security of smart contracts does not equate to absolute safety; supply chain attacks, internal threats, and human errors can all become fatal weaknesses. For individuals, it is time to reassess how to store large amounts of funds and the security of on-chain finance and staking. Every crisis serves as a reminder: asset security should never be taken lightly.

Previously, Safe co-founder Lukas Schor stated in an interview that within three years, all on-chain wallets would become smart wallets. So, can this goal still be achieved now?