Overview

On February 21, 2025, at 14:13:35 UTC, a malicious transaction was executed that upgraded the implementation of the Bybit Hot Wallet Proxy via a call from SafeWallet. This analysis details the sequence of events, on-chain operations, and potential attacker methodology.

Compromised Transaction Details

Malicious transaction that upgrade implementation of Bybit Hot Wallet called from SafeWallet:

• Timestamp: Feb-21-2025, 14:13:35 UTC

• Transaction: 0x46dee (Etherscan)

Key Addresses:

• Bybit Hot Wallet Proxy: 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4

• GnosisSafe (v1.1.1): 0x34cfac646f301356faa8b21e94227e3583fe3f5f

• Malicious Implementation Contract: 0x96221423681a6d52e184d440a8efcebb105c7242

On-Chain Flow of the Exploit

1. Initiation by the Hacker:

   • Hacker Address: 0x0fa09c3a328792253f8dee7116848723b72a6d2e

   • The attacker initiates a call to the Hot Wallet Proxy (0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4).

2. Delegated Calls:

   • The proxy executes a delegatecall to the legitimate GnosisSafe contract (0x34cfac646f301356faa8b21e94227e3583fe3f5f).

   • Next, a further delegatecall is made to the malicious implementation contract using the following JSON payload:

     {
       "to": "0x96221423681a6d52e184d440a8efcebb105c7242", // Malicious Implementation Contract
       "operation": 1, // DelegateCall operation
       "data": "0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be29695160000000000000000000000000000000000000000000000000000000000000000"
       // Encodes a call to transfer(address,uint256):
       // transfer(0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516, 0)
     }
     

3. State Modification:

   • Within the malicious contract’s transfer function:

   def transfer(address _to, uint256 _value) payable:
       require calldata.size - 4 >= 64
       require _to = _to
       stor0 = _to

   This function updates slot0 of the proxy, effectively replacing the legitimate GnosisSafe implementation with the malicious contract at 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516.

   • The state change is confirmed by the following screenshot:

4. Asset Exfiltration:

   • Test Transfer: A preliminary transaction transferred 90 USDT to verify functionality. View on Etherscan

   • Massive ETH Drain: Following the test, a transaction was executed that transferred 401,346.76 ETH from the compromised wallet. View on Etherscan

Final Thoughts

The incident is still under investigation. The key details above show how the attacker drained the wallet’s fund and used crafted delegatecall transactions to hide their actions.

This information is crucial for understanding the breach. Stay alert and monitor your wallet closely, as even zero-value transactions might signal hidden threats. Further updates will follow as more details emerge.