Your IP:
·
Your ISP:
·
Your Status:
Get protected

Top 5 Security Lessons for the Crypto World After Bybit Hack

Leakd.com Authors
February 24, 2025
bybit hack crypto featured
Source: A screenshot, Instagram/bybit_official

While Bybit, one of the largest crypto exchanges in the world, is yet to release a detailed report on how they became the victim of the world’s largest heist, several lessons can already be drawn.

As reported, at Bybit, people responsible for signing an ethereum (ETH) transaction, including Bybit CEO Ben Zhou, worth dozens of millions of USD thought they were approving a legitimate transaction. However, a fraudulent transaction was signed. Soon, the company was drained of 500,000 ETH, stETH, and mETH, worth more than $1.4 billion at the time of the theft. (stETH and mETH are tokens representing ETH that are used in staking, an activity that helps generate yield in some blockchains.)

Soon after, the wisdom of the crowd crystallized several lessons that can be learned from this painful incident, pointing at areas where the crypto industry must improve as soon as possible.

Here they are.

1. Make It More Simple

The Ethereum blockchain has often been criticized for its complexity, which opens more attack vectors than, for example, in less complex systems such as Bitcoin (BTC).

“With [stablecoins]/ETH, you don't get a simple send-to address to approve on the hardware wallet. Instead, you get a bytestring with a bunch of gobbledegook that is much harder to verify. This is where the ETH complexity argument is correct,” Nick Neuman, CEO and co-founder of BTC and ETH custody solutions company Casa, said.

In other words, according to Rob Hamilton, CEO of AnchorWatch, a BTC insurance company, you are blind-signing state updates to a contract as the complexity of Ethereum prevents the ability to analyze what exactly you are agreeing to.

Therefore, the solution to the "multisig confirmation hack" problem is human-readable transactions, as Mikko Ohtamaa, co-founder of Trading Strategy, an algorithmic trading protocol, suggested.

“You need to have a trusted user interface, i.e., your hardware wallet, to be able to decode and tell you [what] the transaction is doing instead of hashes, domains, and other crap,” he said, stressing that developing human-readable Ethereum transactions would cost less than $10 million, which is less than 1% of Bybit’s losses.

2. Bitcoiners Should Stay Vigilant Too

While some Bitcoin advocates were quick to criticize the competing camp for their complexity and remind them of Bitcoin's robustness, while also trolling Ethereans to roll back their blockchain along the way, this should not lull BTC users into complacency.

Casa’s Neuman emphasized that if your BTC wallet is browser-based, malware on your computer can still maliciously change the details of what you're signing.

“For example, it could change the [user interface] to show you sending BTC to a known address when the transaction actually goes to an attacker's address,” the CEO said, adding that there are a lot of browser-based multisignature options for BTC users.

“The hardware itself would show a different send-to address than your browser. Even then, it's easy to get lulled into not checking this regularly. Constant vigilance!” Neuman said.

3. Improve the Transaction Signing Process

The infamous transaction signing process at Bybit, which also involved their CEO, Ben Zhou, has also been largely criticized, as industry players share ideas on how it can be improved.

For example, David | crypto/acc (his profile name on X), founder of AITHOS, an AI agent company, suggested a three-step plan:

"1. Perform transaction simulation BEFORE any transaction is signed. Abort on unexpected changes.

2. Require proof of balance from the ledger system before signing transactions.

3. Define strict wallet flow policies (e.g., internal wallets can only transfer to internal wallets)."

"You'd be surprised how many wallet systems don't even do the above checks," he added.

Additionally, Security Alliance, a crypto security-focused non-profit known as SEAL, advised using an isolated device (such as a Chromebook) for signing transactions and ensuring the device is kept up to date and not used for anything else. Also, according to them, factory resetting the device periodically (every 3-6 months) and ensuring that signers review the transaction details on the hardware wallet, not just the browser, might help as well.

"Conduct regular red team exercises to test signer preparedness towards malicious transactions, such as by inserting test transactions with unexpected parameters into the signing queue," they added. Also, SEAL has recommended conducting an internal review of all employees with production/IT access and determining if any have had contact with potential threat actors.

Two more suggestions by SEAL are:

  • Review EDR [Endpoint Detection and Response] systems to ensure that no anomalous activities have taken place.
  • Review devices/browsers to ensure that no unrecognized software/extensions have been installed.

Meanwhile, Charles Guillemet, CTO of Ledger, a hardware wallet manufacturer whose device was used by the Bybit CEO to sign the transaction, said that the company is working to provide ‘Clear Signing’ for the entire ecosystem.

"We encourage you to review our Clear Signing page and see how you can help push for all smart contracts to have Clear Signing. Since it is not currently available for all Ethereum smart contracts, blind signing remains an option, but at your own risk," Guillemet said, also announcing their upcoming "Transaction Check" feature. It should simulate the transaction before it is sent to the device and display a clear-signed transaction with a risk assessment.

4. Use What You Say You’re Using

Some industry experts noted that Bybit actually didn’t use a cold wallet and multisignature setup to send the infamous transaction.

According to Rytis Bieliauskas, co-founder of asd labs, a fintech and blockchain consultancy, the Bybit hack exposed that their "cold" wallet wasn't truly cold, and their multisignature setup had a single point of failure.

“A true cold wallet signs transactions offline. If signers used a web interface, it was vulnerable. Private keys must be generated and stored offline, with signatures created on air-gapped devices,” Bieliauskas said, stressing that this isn't optional, as it's the definition of cold storage.

When it comes to a multisignature setup, it should eliminate single points of failure.

“But if all signers rely on the same compromised interface, the security collapses,” the co-founder explained, also noting that third-party solutions are inherently risky and that convenience should never outweigh security.

5. Act now

Possibly, the chief lesson is that it takes at least a $1 billion hack for the crypto industry to take already known security issues more seriously. As security experts stressed after the first details about the theft emerged on Friday, the company was exploited in a similar way as two other crypto platforms last year—WazirX and Radiant. Both companies lost a total of around $280 million after criminals interfered with their transaction signing process.

Therefore, the question is whether a $1 billion hack is enough for the industry to learn.

In either case, this isn’t an exhaustive list of all the lessons that can be learned from this major heist, as people will keep finding what can and should be fixed and improved. And, hopefully, they will.

Leave a Comment
open
chevron-triple-rightaccount-circle