ByVipin Bharathan,
Contributor.
BTCUSD and ETHUSD in percentage terms
By now everyone knows that the Bybit hack of 400,000 ETH and stETH worth more than $1.5 billion is the largest ever hack of an exchange. Even the title "Unauthorized Activity Involving ETH Cold Wallet" uses familiar language, the language designed to draw attention away from the hack itself. The language of corporate unaccountability. This is old news. When the news is more than one week old, it smells just like fish left out of the cold for a week. This article looks at the wider fallout of the hack as it becomes clearer.
The casualties of the hack are
The Bybit announcement reads “The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet”. What necessitates a scheduled move of 400,000 ETH and sETH? What are these guys doing with ETH that necessitates moves from cold to hot wallets on the order of 400,000 ETH in a short period of time? No explanation was provided.
The record is partly the result of USD prices of ETH at the time of the Bybit attack. In fact the prices of all cryptocurrencies fell in the hours after the hack. Wiping out $300 billion from in a matter of hours, 200 times the value of the theft. The DAO hack involved 3.6 million ETH. The Bybit hack only involved 400K ETH, 1/9th of the DAO hack. The USD values are starkly different, the DAO hack was valued at $60 Million, the Bybit hack $1.5 Billion. This is mainly due to the difference in price of ETH. The design of the DAO system prevented the smart contract vulnerability from being immediately exploited. The funds were frozen for 2 weeks in an intermediate account. This allowed a simple fix to be rolled out. Ethereum was staring at an existential crisis, with one third of existing coins at risk. The maintainers led by Vitalik Buterin made the brave move of invalidating the hack. Although widely panned at that time, this action probably saved Ethereum. No one talks about Ethereum Classic anymore.
Cold wallets derive their safety through their complete isolation from the internet and hence cyber intruders. Hot wallets on the other hand are connected to the internet and hence to the blockchain apps directly, allowing transactions to be created, signed and sent immediately. Transaction fees usually control the speed of confirmation. Usually they are hardware wallets. They are subject to loss, theft and damage.
I cannot figure out why the Safe cold wallet, even though it is a web based application connecting to the internet, qualifies as a cold wallet. Bybit used a Safe wallet. Safe is an Orwellian term, like Liberty, Patriot, Truth. The wallet UI was hosted on a AWS S3 bucket database in the Amazon cloud. All the postmortems point to the hacking of this UI with stolen Safe S3 credentials, leaked many months ago. Cold wallets are not for timely transactions as it takes a while for such multisig wallets to bridge between a disconnected wallet and the internet. Cold wallets can be as simple as a piece of paper with your private key or hardware cold wallets. Of course the bridging point is where it is most vulnerable. Maybe Safe was used because for people on the move like the Bybit CEO and his two co-signers, a wallet such as Safe is convenient. Calling it cold is a stretch.
All evidence points to The Lazarus Group. The steps follow a well rehearsed choreography.
Some funds were clawed back because of the fast action of Bybit and their security consultants such as Elliptic and other auditors. These steps are on-going. After the theft is converted to USD or any other fungible national currency, it is used for the Ballistic Missile program or any of the pet programs of the North Koreans. The hack finances the dangerous build up of Nuclear Arms and their delivery mechanisms by a rogue state.
Bybit, the Dubai based exchange, managed to survive this reputational hit so far by their excellent communications and fast action. It also helped that they kept their redemptions open and made good on all their clients’ money. They seem to be back to Business As Usual. Pumping airdrops, drawing in customers with their new offers. Some money was recovered, barely 3% of the total value of the hack.
The immediate fallout was a decrease in the total value of the crypto economy by $300 billion. As noted earlier, the Lazarus Group could have made more money by shorting ETH and BTC than with the actual heist. The value of BTC, ADA, ETH, XRP and SOL recovered with the president’s tweet about the crypto reserve over the weekend. Who, if any front-ran that tweet and made money on that steep rise in the value? No one knows. As noted earlier, security practices about cold wallets and multisig need a very close look after this. Just naming a wallet a cold wallet does not make it so. Safe proved to be unsafe.
If huge amounts are routinely moved from cold wallets to hot wallets in the interest of business, a hard look at such practices need to be conducted. This routine also lulls even the multisig participants into a stupor, or a mindless clicking of buttons. They had done it many times before, so they are on autopilot. This is the essence of behavioral hacking. The surface is the same, but underneath very strange things are happening. I have not gone into the details of the simple javascript hacks that have made this possible.
Other recommendations from the security practitioners include checking using multiple means to check whether the destination is what was expected. A quick look at the generated transaction in the cold wallet script to see the destination. This is included in the Safe {Wallet} blog. Introducing checks with etherscan integrated into the warm wallet as the wallet turns from cold to integrated into the system. Double checking huge transactions. Looking at the transaction as it is to be broadcast, checking the from and to addresses. Routine numbs us, we need to see every transaction with fresh eyes. This hack pathway can be blocked, until the wily Lazarus Project finds another.
Another fallout is the fact that many traditional commentators point to this hack as evidence that the crypto ecosystem is rife with fraud and danger. They then use it to try to bury all the good that is coming out of this great innovation engine. The debates, the great solutions, DeFi itself, everything gets tarred with the unsafe brush. Such are the growing pains of an industry coming of age. Lots more work needs to be done to make the system fairer and more secure. The price of safety(freedom) is eternal vigilance and work.
The Bybit Hack And Its Fallout. Cold wallets that are hot. – Forbes
