In February 2025, cryptocurrency exchange Bybit experienced a devastating hack involving the compromise of their Gnosis Safe multisig wallet, leading to the theft of approximately $1.4 billion in assets. This incident, detailed in a transaction trace breakdown by security researcher Elliot0x (available here), underscores the vulnerabilities in even sophisticated setups like multisig wallets.

The hack likely stemmed from signer compromises, highlighting the need for layered defenses, better transaction verification, and stricter operational security (OpSec) practices. For users managing crypto assets, especially on platforms like Bybit or similar exchanges, implementing proactive tactics is crucial to prevent similar losses. Below, we outline key strategies, drawing from expert recommendations shared in the wake of the event.

One of the primary lessons from the Bybit incident is the importance of independently verifying transactions before signing. Malicious calldata can be disguised, so tools that decode and hash transactions offline are essential.

• Use transaction identicons for visual verification of tx data: github.com/Wardens-OSS-Club/tx-identicons

Employ safe transaction hash utilities to compute and compare hashes locally:

• github.com/pcaversaccio/safe-tx-hashes-util

• github.com/Cyfrin/safe-tx-hashes (includes a comparison section with the above tool)

• For a user-friendly interface to preview safe hashes: www.safehashpreview.com

• Decode calldata directly from Gnosis Safe by pasting it into this tool (which redirects to the ETH Calldata Decoder on Swiss-Knife.xyz)

• Additional utilities for safe transaction handling: github.com/OpenZeppelin/safe-utils

These tools help ensure you're not approving drained or malicious transactions, a tactic that could have mitigated the Bybit compromise.

To limit exposure to phishing or malicious sites, restrict interactions to trusted domains.

• Set up a DeFi DNS whitelist to block unauthorized domains in your browser or wallet: github.com/0xKoda/defi-dns-whitelist/tree/main

This prevents accidental approvals on fake sites mimicking legitimate platforms like Bybit.

Shift away from single-signer hot wallets to more secure alternatives that distribute risk.

• Implement MPC (Multi-Party Computation) wallets for keyless security

• Use delegation tools to manage permissions without exposing keys: delegate.xyz

• Opt for air-gapped wallets for offline signing: airgap.it

• Acquire hardware security modules for cold storage: gridplus or KeystoneWallet

These options reduce the attack surface by avoiding online key exposure, a potential vector in the Bybit hack.

First things first, let's break down what Gnosis Safe is... Safe operates as a smart contract deployed on the blockchain, rather than a traditional externally owned account (EOA). Users set up the wallet with an "M-of-N" (or X-of-Y) configuration, where "M" is the minimum number of approvals needed out of "N" total signers. For example, a 2-of-3 setup means at least two out of three signers must approve a transaction for it to proceed.

The process typically involves:

1. Deployment: The Safe contract is created on-chain, with owners (signers) and a threshold defined.

2. Transaction Proposal: One signer proposes a transaction (e.g., transferring funds or interacting with a dApp).

3. Approvals: Other signers review and sign off on the proposal using their private keys.

4. Execution: Once the threshold is met, the transaction is executed by the smart contract itself.

5. Extensibility: Through modules and integrations, users can add custom logic, such as automated actions or connections to other protocols.

For users relying on multisig setups like Gnosis Safe, add layers of protection to delay or veto suspicious actions.

• Apply defense-in-depth strategies to multisig schemes: bentobox19.github.io/posts/defense-in-depth-applied-to-multisig-schemes.html

• Integrate a delay modifier module that allows time-locked executions with veto options: github.com/gnosisguild/zodiac-modifier-delay

• For Solana-based multisigs, follow security best practices: osec.io/blog/2025-02-22-multisig-security/

• Explore secure key management in Web3: olympixai.medium.com/secure-wallet-key-management-in-web3-268c143820ca

Additionally, consider diagrams like the FailSafe Attestation Service for native ETH protection (illustrated here), which outlines quorum-based signing and asset guards using services like AWS Nitro Enclaves.

Operational security extends beyond wallets to your entire digital environment. Follow comprehensive OpSec guides:

• Trail of Bits' MVP guide: docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit

• Officer's Crypto OpSec Self-Guard Roadmap: github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap

• Install bandwidth monitors to detect unusual network activity: Options include Endian, LuLu, or Little Snitch.

• Sanitize PDFs and potentially malicious files before opening: dangerzone.rocks

These habits help identify and block threats like malware or phishing, which may have played a role in compromising Bybit's signers.

Avoid relying on hosted UIs that could be hijacked or serve malicious code.

• Use a local Safe interface to interact with your multisig wallet securely: justfuckinguselocalsafe.eth.limo - made by PatrickAlphaC

This tactic ensures you're not vulnerable to frontend attacks on platforms like app.safe.global.

The Bybit hack serves as a stark reminder that no system is infallible, but layering these tactics can significantly reduce risks. Start by auditing your current setup, migrating to MPC or air-gapped solutions, and always verify transactions independently. By implementing these tools and practices, users can better safeguard their assets in an increasingly hostile crypto landscape. Stay vigilant, and consider consulting security experts for personalized advice.

If you want to support my work, please, consider donating me:

• 0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62 or officercia.eth — all supported EVM chains;

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU or bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvdds — Bitcoin;

• BLyXANAw7ciS2Abd8SsN1Rc8J4QZZiJdBzkoyqEuvPAB — Solana;

• 0zk1qydq9pg9m5x9qpa7ecp3gjauczjcg52t9z0zk7hsegq8yzq5f35q3rv7j6fe3z53l7za0lc7yx9nr08pj83q0gjv4kkpkfzsdwx4gunl0pmr3q8dj82eudk5d5v — Railgun;

• TYWJoRenGB9JFD2QsdPSdrJtaT6CDoFQBN — TRX;

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — XMR;

• DQhux6WzyWb9MWWNTXKbHKAxBnAwDWa3iD — Doge;

• UQBIqIVSYt8jBS86ONHwTfXCLpeaAjgseT8t_hgOFg7u4umx — TON.

If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights.

In February 2025, cryptocurrency exchange Bybit experienced a devastating hack involving the compromise of their Gnosis Safe multisig wallet, leading to the theft of approximately $1.4 billion in assets. This incident, detailed in a transaction trace breakdown by security researcher Elliot0x (available here), underscores the vulnerabilities in even sophisticated setups like multisig wallets.

The hack likely stemmed from signer compromises, highlighting the need for layered defenses, better transaction verification, and stricter operational security (OpSec) practices. For users managing crypto assets, especially on platforms like Bybit or similar exchanges, implementing proactive tactics is crucial to prevent similar losses. Below, we outline key strategies, drawing from expert recommendations shared in the wake of the event.

One of the primary lessons from the Bybit incident is the importance of independently verifying transactions before signing. Malicious calldata can be disguised, so tools that decode and hash transactions offline are essential.

• Use transaction identicons for visual verification of tx data: github.com/Wardens-OSS-Club/tx-identicons

Employ safe transaction hash utilities to compute and compare hashes locally:

• github.com/pcaversaccio/safe-tx-hashes-util

• github.com/Cyfrin/safe-tx-hashes (includes a comparison section with the above tool)

• For a user-friendly interface to preview safe hashes: www.safehashpreview.com

• Decode calldata directly from Gnosis Safe by pasting it into this tool (which redirects to the ETH Calldata Decoder on Swiss-Knife.xyz)

• Additional utilities for safe transaction handling: github.com/OpenZeppelin/safe-utils

These tools help ensure you're not approving drained or malicious transactions, a tactic that could have mitigated the Bybit compromise.

To limit exposure to phishing or malicious sites, restrict interactions to trusted domains.

• Set up a DeFi DNS whitelist to block unauthorized domains in your browser or wallet: github.com/0xKoda/defi-dns-whitelist/tree/main

This prevents accidental approvals on fake sites mimicking legitimate platforms like Bybit.

Shift away from single-signer hot wallets to more secure alternatives that distribute risk.

• Implement MPC (Multi-Party Computation) wallets for keyless security

• Use delegation tools to manage permissions without exposing keys: delegate.xyz

• Opt for air-gapped wallets for offline signing: airgap.it

• Acquire hardware security modules for cold storage: gridplus or KeystoneWallet

These options reduce the attack surface by avoiding online key exposure, a potential vector in the Bybit hack.

First things first, let's break down what Gnosis Safe is... Safe operates as a smart contract deployed on the blockchain, rather than a traditional externally owned account (EOA). Users set up the wallet with an "M-of-N" (or X-of-Y) configuration, where "M" is the minimum number of approvals needed out of "N" total signers. For example, a 2-of-3 setup means at least two out of three signers must approve a transaction for it to proceed.

The process typically involves:

1. Deployment: The Safe contract is created on-chain, with owners (signers) and a threshold defined.

2. Transaction Proposal: One signer proposes a transaction (e.g., transferring funds or interacting with a dApp).

3. Approvals: Other signers review and sign off on the proposal using their private keys.

4. Execution: Once the threshold is met, the transaction is executed by the smart contract itself.

5. Extensibility: Through modules and integrations, users can add custom logic, such as automated actions or connections to other protocols.

For users relying on multisig setups like Gnosis Safe, add layers of protection to delay or veto suspicious actions.

• Apply defense-in-depth strategies to multisig schemes: bentobox19.github.io/posts/defense-in-depth-applied-to-multisig-schemes.html

• Integrate a delay modifier module that allows time-locked executions with veto options: github.com/gnosisguild/zodiac-modifier-delay

• For Solana-based multisigs, follow security best practices: osec.io/blog/2025-02-22-multisig-security/

• Explore secure key management in Web3: olympixai.medium.com/secure-wallet-key-management-in-web3-268c143820ca

Additionally, consider diagrams like the FailSafe Attestation Service for native ETH protection (illustrated here), which outlines quorum-based signing and asset guards using services like AWS Nitro Enclaves.

Operational security extends beyond wallets to your entire digital environment. Follow comprehensive OpSec guides:

• Trail of Bits' MVP guide: docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit

• Officer's Crypto OpSec Self-Guard Roadmap: github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap

• Install bandwidth monitors to detect unusual network activity: Options include Endian, LuLu, or Little Snitch.

• Sanitize PDFs and potentially malicious files before opening: dangerzone.rocks

These habits help identify and block threats like malware or phishing, which may have played a role in compromising Bybit's signers.

Avoid relying on hosted UIs that could be hijacked or serve malicious code.

• Use a local Safe interface to interact with your multisig wallet securely: justfuckinguselocalsafe.eth.limo - made by PatrickAlphaC

This tactic ensures you're not vulnerable to frontend attacks on platforms like app.safe.global.

The Bybit hack serves as a stark reminder that no system is infallible, but layering these tactics can significantly reduce risks. Start by auditing your current setup, migrating to MPC or air-gapped solutions, and always verify transactions independently. By implementing these tools and practices, users can better safeguard their assets in an increasingly hostile crypto landscape. Stay vigilant, and consider consulting security experts for personalized advice.

If you want to support my work, please, consider donating me:

• 0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62 or officercia.eth — all supported EVM chains;

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU or bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvdds — Bitcoin;

• BLyXANAw7ciS2Abd8SsN1Rc8J4QZZiJdBzkoyqEuvPAB — Solana;

• 0zk1qydq9pg9m5x9qpa7ecp3gjauczjcg52t9z0zk7hsegq8yzq5f35q3rv7j6fe3z53l7za0lc7yx9nr08pj83q0gjv4kkpkfzsdwx4gunl0pmr3q8dj82eudk5d5v — Railgun;

• TYWJoRenGB9JFD2QsdPSdrJtaT6CDoFQBN — TRX;

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — XMR;

• DQhux6WzyWb9MWWNTXKbHKAxBnAwDWa3iD — Doge;

• UQBIqIVSYt8jBS86ONHwTfXCLpeaAjgseT8t_hgOFg7u4umx — TON.

If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights.