# A Deep Dive into the Exploited Cryptographic Technology **Published by:** [fabian](https://paragraph.com/@fabiancreative-operations.group/) **Published on:** 2025-02-22 **Categories:** multisigs, delegatecall, injections **URL:** https://paragraph.com/@fabiancreative-operations.group/a-deep-dive-into-the-exploited-cryptographic-technology ## Content In a recent high-profile security breach, Bybit’s Ethereum multisig cold wallet was compromised, leading to unauthorized fund transfers. The attacker managed to deceive the signing process by manipulating the interface and altering the underlying smart contract logic. While the breach did not stem from a direct cryptographic failure, it exposed vulnerabilities in the transaction approval process and multisig smart contract implementation. 1. Understanding Multisig Wallets and Their Cryptographic BasisMultisignature (multisig) wallets are smart contracts that require multiple signatures to authorize transactions. Bybit likely used a Gnosis Safe or a custom Ethereum-based multisig setup, relying on Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction validation. How ECDSA Works in Multisig Wallets:Each signer possesses a private key used to generate a unique digital signature.The transaction data is hashed using Keccak-256, ensuring data integrity.The Ethereum ecrecover() function extracts the signers’ public keys from the provided signatures.If enough valid signatures are detected (e.g., 2-of-3 or 3-of-5), the contract executes the transaction.Despite the robustness of ECDSA, the attack targeted the signing process and contract execution logic, not the cryptographic algorithm itself.2. How the Bybit Attack Was ExecutedThe attack involved deceptive transaction signing, where the displayed transaction details differed from the actual smart contract execution. Here’s how the breach likely occurred:A. UI Spoofing: Tricking Signers Into Approving a Malicious TransactionThe attacker manipulated the signing interface, displaying a legitimate transaction while modifying the underlying smart contract logic.Signers, believing they were authorizing a routine transfer, unknowingly approved a transaction granting the attacker control over the cold wallet.B. Smart Contract Manipulation: Exploiting Delegatecall & Upgradeable Proxy PatternsDelegatecall Exploit:The attacker could have embedded a malicious contract that used delegatecall, allowing them to execute unauthorized code within the multisig contract's context.This method can override critical functions, such as updating wallet ownership or modifying approval mechanisms.Upgradeable Proxy Manipulation:If Bybit’s wallet was proxy-based, the attacker could have executed an upgrade to a contract under their control, altering transaction validation logic.This allowed them to inject a new transaction approval mechanism that bypassed legitimate signers.C. Private Key Exposure or Malicious Signature InjectionIf an internal system handling signature validation was compromised, the attacker might have inserted their own signature into the transaction, effectively reducing the required threshold for approval.Alternatively, an inside attacker might have colluded to approve a fraudulent transaction.3. The Role of Cryptography in the AttackDespite the breach, the core cryptographic mechanisms, including ECDSA and Keccak-256 hashing, remained secure. The failure occurred at the contract logic and transaction signing layer, where:The cryptographic signatures were valid but unknowingly applied to a malicious transaction.The attacker altered transaction logic post-signing without violating cryptographic principles.The UI misrepresented transaction details, misleading signers into approving an unintended transaction.This attack highlights that while cryptographic security is crucial, operational security and contract logic verification are equally important.4. How to Prevent Similar AttacksTo prevent such exploits, organizations should implement multi-layered security measures:A. Secure the Signing ProcessUse Hardware Security Modules (HSMs) or Air-Gapped DevicesEnsures that private keys never interact with potentially compromised software.EIP-712 (Typed Data Signing) ImplementationDisplays human-readable transaction details before signing, preventing UI spoofing attacks.Manual Verification of Raw Transaction DataRequires signers to cross-check transaction hashes before approval.B. Strengthen Smart Contract SecurityLimit Contract UpgradeabilityUse time-locked upgrades and multisig governance for contract changes.Restrict Delegatecall UsageAvoid delegatecalls in critical wallet operations to prevent execution of external malicious code.Implement Contract WhitelistingOnly allow transactions to and from pre-approved smart contract addresses.C. Enhance Backend and UI SecurityEnforce End-to-End Transaction ValidationSigners should independently verify transaction hex strings before approval.Monitor and Audit Transactions in Real-TimeImplement AI-based anomaly detection to flag suspicious transaction patterns.Adopt Multi-Factor Authentication (MFA) for Wallet AccessRequires additional authentication layers beyond cryptographic signatures.5. ConclusionThe Bybit attack underscores that cryptographic security alone is not enough to protect high-value assets. While ECDSA and Ethereum’s hashing functions remained uncompromised, weaknesses in UI security, contract logic, and transaction approval processes enabled the attacker to execute the breach. To safeguard multisig wallets from similar attacks, organizations must enforce strong UI verification, contract-level restrictions, and hardware-based security mechanisms. The future of crypto security will depend on a holistic approach that integrates cryptography with robust operational security practices. These measures are in no means full proof and in the coming days as security experts look into this hack, they will offer more robust solutions to counter this in future. ## Publication Information - [fabian](https://paragraph.com/@fabiancreative-operations.group/): Publication homepage - [All Posts](https://paragraph.com/@fabiancreative-operations.group/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@fabiancreative-operations.group): Subscribe to updates ## Optional - [Collect as NFT](https://paragraph.com/@fabiancreative-operations.group/a-deep-dive-into-the-exploited-cryptographic-technology): Support the author by collecting this post - [View Collectors](https://paragraph.com/@fabiancreative-operations.group/a-deep-dive-into-the-exploited-cryptographic-technology/collectors): See who has collected this post