CZ Criticizes Bybit Audit Report and Safe Wallet’s Response to Lazarus Group Attack
CZ question hints at the possibility of deeper vulnerabilities and whether this attack was part of a broader strategy. What can other self-custody, multi-sig wallet providers learn from this breach?
Binance founder Changpeng Zhao (CZ) has just publicly criticized the audit report related to the Bybit hack. The hack was allegedly orchestrated by the notorious Lazarus Group. The audit concluded that the breach stemmed from Safe{Wallet}’s compromised developer machine rather than Bybit’s systems. However, CZ found the explanation unsatisfactory, raising pointed questions that the audit failed to answer.
This incident has sent shockwaves through the crypto community, sparking concerns about security practices among wallet providers and exchanges. The case also underscores the growing threat of sophisticated state-sponsored hacking groups like Lazarus, known for exploiting weaknesses in the crypto ecosystem.
Safe{Wallet} released an official statement addressing the hack that led to a staggering $1.4 billion loss from an account operated by Bybit. According to Safe, forensic investigations concluded that the Lazarus Group executed a targeted attack by compromising a Safe{Wallet} developer machine. This compromise allowed the hackers to propose a disguised malicious transaction that ultimately affected Bybit’s account.
CZ’s main criticisms and questions include:
Nature of the Compromise:
What exactly does “compromising a Safe {Wallet} developer machine” mean?
CZ questions whether the breach involved social engineering, malware, or some other tactic. Understanding this is crucial, as it would help other wallet providers avoid similar vulnerabilities.
Access to Bybit Accounts:
How did a developer’s machine gain access to an account operated by Bybit?
CZ raises concerns about whether malicious code was deployed directly from a developer’s environment to production, highlighting potential flaws in deployment security protocols.
Ledger Verification Process:
How did the attackers bypass multiple Ledger verification steps?
CZ probes whether the issue stemmed from blind signing or a failure of the signers to properly verify transactions.
Target Selection:
Was $1.4 billion the largest target available? Why didn’t the attackers target others?
CZ question hints at the possibility of deeper vulnerabilities and whether this attack was part of a broader strategy.
Lessons for the Industry:
What can other self-custody, multi-sig wallet providers learn from this breach?
CZ calls for actionable insights that can bolster industry-wide security standards.
