Bybit loses $1.5B in hack
380 comments
·February 21, 2025mdaniel
dang
Currently discussed here:
The $1.5B Bybit Hack - https://news.ycombinator.com/item?id=43140754
Normally we'd merge that one hither but it looks like that article has more background and the thread is (therefore) better.
rkagerer
There's some info and speculation in these two (distinct) articles, but I'd love to know technical details of where the gaffs were.
eg. Was client software compromised? Did the multisig keyholders succumb to social engineering? Were the signers using airgapped machines / hardware devices?
https://blockworks.co/news/bybit-hack-raises-security-questi...
fresh_geezer
Here is what the CEO wrote on X:
"Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address."
[yes, it says 'musked', assuming they meant masked. @safe is https://safe.global/wallet]
Unfortunately most hardware wallets can't interpret EVM smart contract transactions and asks you to sign a big binary blob that is supposed to match what you see on your computer screen (it's literally called blind signing). He said in the tweet and later on a live stream that they verified that the URL was correct, and there were several signers in different locations on different machines.
Logically the UI must have been manipulated for all of them, which I can think of a few different ways to do:
- The signing link was replaced somehow over whatever medium they sent it to each other, pointing to something that either looks like the original UI (perhaps IDN homograph domain) or is the actual site if it has some weakness that allows script injection to manipulate the page
- The server side was exploited to serve a manipulated page
- Client side malware that injects something in the browser to manipulate the page
- Some kind of network/DNS attack combined with mis-issued TLS certificate (or injected CA)
It points to some level of sophistication and long-term observation of their internal systems to know what the process looks like and devising an attack.
Will be interesting to read when/if they release a full analysis.
DennisP
They could have used a hardware wallet like the Lattice1 from GridPlus, which actually shows the function parameters on a big screen instead of blind signing.
dboreham
Oh, when I read this yesterday I assumed "musked" was a clever play on the idea that someone is tricked into agreeing to things against their interests.
Salgat
Is it possible that this was an inside job?
EMM_386
One of the links says the following:
> According to crypto security firm Groom Lake, a Safe multisig wallet was deployed on Ethereum in 2019 and on the Base layer-2 in 2024 with identical transaction hashes. Ethereum’s alphanumeric transaction hashes are 64 characters long, so deploying the same smart contract transaction hash twice should be mathematically impossible.
> The same transaction hash appearing on both Ethereum and Base indicates an attacker could have found a way to make a single transaction valid on more than one network or could be reusing crypto wallet signatures or transaction data across networks, pseudonymous Groom Lake researcher Apollo said.
AwGeezeRick
The quote is incorrect. If I deploy the same smart contract to two different EVM chains, from the same wallet, with the same nonce (pretend it's the first transactions I'm doing with this wallet on each chain, so nonce 0), then the transaction hash will be the same on both chains. That's not odd.
veidr
Are we sure he didn't mean the transaction got DOGEd?
cypherpunks01
A huge problem with signing EVM transactions using hardware wallets is that is common to be blind signing messages. The device has no knowledge of the SAFE EVM contract functions or any other context, it just asks you to sign an gobblygook opaque binary message so you may have no idea what's being signed, is my experience using multiple different vendor HW wallets. Not sure if that's what happened, but possible this type of problem contributed to the exploit. BTC TXs are simple enough that all HW wallets can basically display what's happening, but with turing-complete arbitrary computations in EVM this becomes very difficult.
killerstorm
In almost all cases EVM smart contract interaction looks like a function call which can be easily decoded into JSON if you know ABI.
HW wallet doesn't need to understand the contract logic, it just needs ABI, which is generally a simpler task. Also it can show the name of function you're calling as selector is a hash of a name.
Safe is a bit more complex as it also wraps it in EIP-712 message, but that can also be decoded in a systematic way.
tumdum_
> with turing-complete arbitrary computations in EVM this becomes very difficult.
I have very limited knowledge about EVM, but those computations are bounded by gas, right? Evaluating them is a finite process.
simpsond
Yes, each opcode has a gas cost. Some are quite expensive, like writing storage (changing network state). Each block has a target gas limit. Say 30 million. A single transaction cannot exceed that. Additionally, a transaction specifies a bid on how much they are willing to spend, in ether, per gas. That said, transferring funds does not typically require significant gas.
dboreham
What you suggest is possible (evaluate the side effects of the transaction and present that information to the prospective signer). But at present they don't do that. I'm not sure about this specific case but often it's just a supplied text string (that can say anything) that's displayed. Basically the system depends on trust in whatever came up with the transaction payload.
porkbrain
But the space of their effects on the Blockchain state is vast. You need software to translate those effects to a form human can interpret as "what I want"/"not what I want".
Ie. engineering work needs to happen in the UI they used to confirm the tx
rkagerer
Thanks for spelling this out, the explanation makes a lot of sense.
You'd think they could at least show a blockie representing the contract, or reputational party who cryptographically vouched for it.
DennisP
Sometimes you have the right contract, but an attacker is making you pass in different parameters than you think. The most popular hardware wallets don't help you with this; the Ledger Nano S for example just alerts you that you're passing some kind of data to the contract, so you're relying on your computer to show the details. This is a problem when, for example, you're interacting with a token or wallet contract, and you think you're telling it to transfer $ to Alice, but actually it's $$$$ to Bob.
But there are better options with larger screens, which actually display contract parameters on the secure device.
null
mhmmmmmm
https://x.com/tayvano_/status/1847877011462901915 This thread has some info about very similar past attacks, should give some insights into the level of sophistication that goes into something like that.
frinxor
This was interesting, thanks!
philipwhiuk
It's obviously not a cold wallet if it's connected to the exchange.
abuani
It's also not reassuring that the CEO claims cold wallets are safe and secure, just after losing 1.46B
javier2
Cold usually means it needs multiple physical people to sign from offline devices to move it. Hot wallet usually is automated. Here it looks like the «hackers» found a way to trick enough people to sign this transaction
stavros
Or the cold wallet was, at best, room temperature.
gnabgib
It could still be cold. "took control of the specific ETH cold wallet" sounds like stealing the physical hardware. Like someone stealing the vault key, or the HDCP master key getting leaked.
hotsauceror
Yes. This sounds like a variant of “rubber hose decryption.” “We beat him with a sock full of doorknobs until he gave us the device.”
cozzyd
Perhaps their servers have cryogenic cooling
vessenes
They could have gotten the recovery phrase off some paper, then imported it wherever. More likely than guessing the pin on a ledger with a short number of tries before wiping.
Etheryte
Yeah this makes no sense whatsoever.
> [The hacker] took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address.
Did the hacker physically break into their office or what?
shawabawa3
Possibly yes
Or some part of their system failed and the key was compromised without them realising it (like the Debian insecure keys debacle or whatever)
TimJRobinson
The wallet is a smart contract (specifically a gnosis safe), the malicious message they signed transferred ownership of that smart contract wallet to the attacker so they could then do whatever they want with it.
plantain
How on earth is it possible they can cover a 1.5B loss? Are they really sitting on that much profit, or is the goal to ponzi it out from here, MtGox style?
reisse
Bybit trading volume is in tens billions of dollars daily. Their comission rate for the retail traders is up to 10bp (0.1%). Even considering a huge part of that volume is coming from institutional players who enjoy significantly reduced commission rates, I think they're surely making few million dollars daily on comissions alone, maybe tens of millions in a good day. And besides comissions, they also have other sources of profit, like staking, crediting customers, and forced liquidations.
Being a crypto exchange in current market is very profitable. If the crypto itself does not collapse, I think it's totally possible for them to repay that sum in a year or less.
xnickb
I'm nowhere near expert on any of the things below, but: My gut tells me if an exchange makes as much money as you suggest, people involved in that exchange are making even more profit from the said exchange, otherwise they wouldn't engage. The whole thing being literally money out of thin air, it feels like a huge bubble that should inevitably burst bringing down _ a lot _ of collaterals with it.
</speculation>
alberth
Coinbase charges 100bps (1%) between trader & maker fee.
Just last quarter, Coinbase had:
Revenue: $2.2B
Net Income: $1.3B
https://s27.q4cdn.com/397450999/files/doc_financials/2024/q4...
malfist
You might be interested in reading Warren Buffett's reasoning for not investing in crypto. Basically he says crypto produces no goods, products or services, and it's only value comes from finding a "bigger fool" to pay a higher price than you did for it.
It's value is from speculation assuming future speculation will assume more future speculation
themgt
Yeah, as a layman this MSTR explainer was an "aha" moment for me:
No, what is likely happening with all the convertible bond issues is that MicroStrategy prices the bonds in a manner to attract market neutral hedge fonds, meaning arbitrageurs. Saylor has briefly mentioned these firms, as opposed to firms seeking actual Bitcoin exposure. For issue after issue, they can be spotted as the largest bond holders by anyone with a Bloomberg terminal. By buying the bonds, even when conversion price is at a large premium, and by simultaneously shorting the shares, these arbitrage funds can lock in close to risk-free profits. Due to the convex nature of the value of the convertible bonds, the hedge funds attempt to profit no matter whether MicroStrategy shares rise or decline
Like, a broker profiting off PFOF in the stock market makes sense because there's an underlying asset generating real cashflow that people are buying into. But where is the money in crypto actually coming from? You have to pay miners, brokers, rugpulls/thefts/etc and there's barely any cashflow from the underlying assets (dApps?). But if it really is ~just a casino, with retail gamblers as the only real source of cash, it can still be profitable for smart money to pour billions in and use their PhDs to trade the vol. It goes up, it goes down, overall retail is bleeding huge amounts of cash on a sort of 5 dimensional pyramid scheme but enough gamblers go viral winning the slots/blackjack that the casino doesn't run out of customers.
Can this continue indefinitely? Maybe / probably? Seems similar to sports betting, Polymarket, retail now ~70% of options trading. The west and especially America becoming a gambling culture. The "bubble" may burst and reinflate over and over.
https://medium.com/@bdratings/all-your-models-are-destroyed-...
plantain
Most of the trading is not done by retail traders but at much lower fees than that, if not being paid (market makers). I just can't make it add up.
spaceman_2020
Hyperliquid, a decentralized perp exchange, is a good proxy for ByBit’s revenues. On an average, Hyperliquid does between 800k-1M in revenue per day. ByBit is substantially bigger and easily does 50-100M in monthly revenue
reisse
I know! As I stated,
> Even considering a huge part of that volume is coming from institutional players who enjoy significantly reduced commission rates...
But the volume is huge. Even if we take the best publicly shared MM rates from Bybit (which is 1.5bp taker commission, 0.5bp maker rebate), and assume the whole volume is traded with these rates, it is still 1bp from 40B dollars, which is 4M dollars daily.
evdubs
ByBit's trading volume is almost certainly largely wash trading. Most unregulated crypto exchanges are rife with wash trading.
cmcaleer
These exchanges make an absurd amount of money. That amount of money is basically a decent quarter for Coinbase in fee revenue, and Bybit is smaller but it isn't that much smaller.
It sucks if you're Bybit, but they're going to have plenty of lenders happy to provide them liquidity while they make it all back.
scrlk
I can understand why some FTX creditors are pissed that the exchange didn't start back up under new management. They would have actually been made whole, unlike the current situation where they're getting "repaid" but pegged to November 2022 valuations (i.e. the absolute bottom of the crypto bear market).
Gorkys
In crypto, there is the concept of the "fictional reserve" which can be used in situations such as this.
DrillShopper
If it's big enough you can even get the devs to fork the blockchain to reset things (see The DAO)
It's not that crypto folks don't want some protection from hacks or fraud - the just think it should only be for the rich.
ghhrjfkt4k
FXCM forex trading broker covered a similar sized loss of client money (not hack) when EUR/CHF was unpegged in 2015.
Since it was a profitable broker business, another bigger broker gave them the money to plug the loss in exchange for taking over the business.
Saline9515
Bybit is one of the most used crypto exchanges and does >100M$ of revenue per month, growing fast.
If this isn't enough, I'm sure that every crypto VC would line up to buy a single digit % of their equity to cover up the hole. Crypto hosts the most profitable businesses in the world.
FabHK
> Crypto hosts the most profitable businesses in the world.
Well, because the retail clients expect to get rich and don't mind paying 1% or so fees per exchange.
Similarly, the BTC future basis (the difference between the spot price and future price) on many exchanges around 10 to 5 years ago was easily 80% p.a. which you could realize by buying Bitcoin and selling the future. What happened there is that people going long Bitcoin with leverage essentially borrowed the money giving them that leverage at usurious rates (this implied rate is not usually displayed and thus invisible to your average retail client, but definitely very visible to the finance professionals moonlighting in crypto (such as Jane Street, Jump trading, and many others)).
Crypto use case: ripping off retail.
Saline9515
You pay 1% on Coinbase because they are a quasi monopoly due to regulation. Offshore exchanges take less than 0.1% usually.
The neutral rate for perps is 10%, which is lower than the credit card borrowing rate in the USA. And nothing prevents retail investors to earn it by shorting while holding spot.
Last, Tether is crypto's most profitable business, and likely the world's most profitable if you account on $ of profit per employee, and is not an exchange.
EVa5I7bHFq9mnYK
Yes, the profits are insane in that business. Binance was raided for a similar amount, and paid it out easily. Mtgox was raided for ₿650k ($60B in today's money), and plans to return ₿140k to traders. However, I believe most Mtgox investors are better off this way because they were forced to hold onto their investments; otherwise, they would have sold at around $1,000 or so.
snailmailstare
This loss is more than 5% of their holdings.. To me that implies the supposed benefit of crypto is nonexistent. If an institution is making so much money off your crypto assets that they can return 5% of them, they are a bank doing whatever it was that was so evil.
EVa5I7bHFq9mnYK
Institution is making money from trading fees which are not too high percentage wise. But the trading activity is very high, for many reasons. A lot more people can participate, from all over the world. Some use it to circumvent sanctions. Some enjoy day trading (no need to deposit $25000, as with US stocks). There are literally millions of instruments to trade. Some like to write algorithms, arbitrage, market making etc. Some dream of 1000x returns (and few do get them).
jqpabc123
How on earth is it possible they can cover a 1.5B loss?
Easy! They give Binance an IOU in exchange for 1.5 billion BUSD which is just "minted" out of fresh new electrons. Neither of them has really lost anything. Everyone can carry on as if it never happened.
In the bizarro world of crypto, this is business as usual.
Saline9515
Binance doesn't mint BUSD, BUSD is emitted by Paxos, which is an american licensed company.
jqpabc123
I have a license to drive a car. Having it doesn't limit my ability to mint crypto.
m00dy
Gary Gensler called BUSD a security and banned it years go. What a guy!
killerstorm
How it it different from what banks do? (Except for a central regulator.)
jqpabc123
How it it different from what banks do? (Except for a central regulator.)
Your exception is the answer.
Only the central regulator can "mint" money and doing so has real world consequences. The central regulator has financial incentives to limit this sort of activity.
The bizarro world of crypto has no such regulation and as a result, it is inherently unstable.
The proof of this is right in front of you --- it is the fact that "stable coins" exist. The only way to bring stability to the bizarro world of crypto is by tying it to "fiat" --- which is the very thing crypto is supposedly working to eliminate.
Contradict and hypocrite much?
Fade_Dance
Because while banks hold duration, the net value of their current assets, future asset streams, and equity is above zero. Indeed the core focus of the business and regulatory side is ensuring this is so.
The central regulator caveat is also a huge caveat to brush aside. During the last round of systemic stress, the banking system essentially got a guarantee that all uninsured deposits would be protected, and banks were allowed to post their collateral for liquidity at terms that no other business has access to.
What OP is referencing is the oft-seen practice in the crypto space where failed entities fill an asset hole with propped up tokens, essentially transforming their paper loss on the balance sheet into liquidity risk that doesn't show as readily.
The important point here is that in the latter case, the entity may be fully insolvent, even after accounting for future cashflows on loans. When it comes to banks, even the left tail cases like SVB, their "problem assets" are things like long term treasuries, which are way down the risk curve when compared to the ponzi-tokenonics style "stablecoins" that we've seen unwind over the past few years.
phony-account
> How it it different from what banks do?
I often read this sort of comment from crypto-defenders, but is it what banks do?
I’m relatively naive about these things, but my impression is that a bank losing this proportion of their assets can’t just ‘pretend’ they have the money, or create ‘new’ money.
skeeter2020
Banks don't print money for each other, and if they get money for free it's backstopped by the government and hence all of us. Crypto wants this single aspect but none of the central regulation.
Both systems stink for those at the end of the chain, i.e. us; you can decide which one is worse.
tonyhart7
FEDS can print money while Binance does not
hnburnsy
I had read they got loans and antcipate paying them back qith recovered proceeds. Interest they could cover with on going operations.
Geee
There should be something like a "finalizing transaction", which both the sender and receiver need to sign after the first transaction has been mined, i.e. like an in-built escrow. If it's not signed by both, then funds are returned. This wouldn't protect against key leakage, but in this case, the tx was signed by accident. This would also protect against sending to wrong address.
tromp
There are cryptocurrencies in which transactions must be signed by both sender and receiver, such as those implementing the pure Mimblewimble protocol.
> Both the sender and receiver need to sign after the first transaction has been mined
That makes no sense; miners don't mine transactions unless they're guaranteed to be valid. All signing must be done before transactions are even published. Otherwise one could DoD-attack the network by having it forward tons of invalid transactions.
vlovich123
You’d mine the first transaction which is a nominal value but the rest of the transaction won’t get mined until that first transaction is signed by both parties indicating acceptance. You could even break it down into an arbitrarily multi-stage process where the next stage is exponentially larger more money (i.e. transfer $100, then transfer $1000, then $1000, etc). This would make the accident “hit a button and lose a B right away” much harder to pull off. Of course, in this case I don’t know that it would help as I believe the attacked party signed approval to change the contract itself.
dcow
What does DoD stand for, in this context?
ykonstant
Department of Defense; after the research funding cuts, the bureaucrats had to get creative about money sources.
joshstrange
I think they meant DoS.
Mengkudulangsat
This would also protect againts dusting attacks.
Illicit addresses sending to thousands of random recipients and making them all marked by automated KYC systems.
zer0x4d
I'm a huge crypto believer but I can admit that we don't have a serious system if a person can just transfer over $1.5B from a well known crypto cold wallet to different accounts with nothing flagging it and no way to reverse it.
stouset
In the face of the never-ending list of these kinds of events, the laughably impossible task of average nontechnical individuals protecting their own assets (and the consequence of total financial ruin when they fail to do so), the overwhelming number of and size of scams, rug pulls, fraud, outright Ponzi schemes, and on and on and on… what exactly is left to keep anyone a “huge believer”?
Put differently, it’s been seventeen years of constant and escalating mayhem. What would finally be enough to shake your faith?
cmcaleer
> what exactly is left to keep anyone a “huge believer”?
I don't really engage in the ponzibucks part and don't touch exchanges except to on and off-ramp, and use crypto to pay for things like hosting, seedboxes, or other services I might not necessarily want my debit card directly attached to.
I like sending vendors $100 and spending $0.00005 in transaction fees and knowing that they'll get $100 (or $99 with some 3rd party integration like Coinbase Commerce) versus spending $100, of which Stripe gets $5 of and the vendor only sees ~$95 if I don't feel like I need the protections of a card, which is frequent but not all the time.
Crypto fits a niche in my life well, despite the wider crypto world having dumb controversies. Just like my HSBC bank account fits a niche well, despite HSBC's wikipedia page being ~50% controversy section by word count.
joshstrange
Your transfer fees are a bit off.
Coinbase is 10,200x more than you stated ($0.51 to send $100) BUT that’s only if I send directly on Coinbase. Coinbase Commerce takes 1% so it would actually be 20,000x more than you listed.
Stripe is 64% of what you stated ($3.20), and that’s with no processing fee discounts like you can get with higher volume.
Now, obviously, $3.20 > $1 but it’s not apples to apples. You can claw back your money with a card for one. there are many cases where I would prefer to pay the extra $2.20.
manquer
> What would finally be enough to shake your faith?
Permanent and major market crashes is the only thing I can think of .
After the last crash a lot of fraud and incompetence got out because they couldn’t stay solvent, stuff like Celsius or FTX etc got exposed only because of the crash we had in 21/22.
It will take a few crashes, like that, until then scams or incompetence like this incident will not make people loose their money.
Few crashes, then most believers will loose their savings then the faith will shatter not until then.
Most people are after all investing in crypto because it goes up and not because they believe in decentralized currencies. As long as they hear how someone is making money on crypto they will keep believing no matter how many meme coins pull the rug, or exchanges fail or pig butchering or myriad of other scams come to light
throwawayqqq11
> what exactly is left to keep anyone a “huge believer”?
Bias. I expect believers to have earned a profit or still hold significant quantities of crypto assets.
But in their favor, trust in any currency is the foundation of its value. States create it by collecting taxes and paying employees. Crypto currencies generally lack that heavy weight central authority, so they kind of have to believe to the point where they get burned.
dandanua
> What would finally be enough to shake your faith?
Crypto scams run by top government officials? Oh, wait...
LoganDark
and the existence of financial scams isn't the same for fiat because...?
desumeku
Maybe when it stops escalating and getting bigger and bigger and continually growing over time?
ericjmorey
Movement of funds from one sovereign nation's jurisdiction to another is important when one jurisdiction is in crisis or restricting capital flows.
nprateem
They've seen other people make loads of money (or maybe made a load themselves) and are still in the game hoping to make loads more.
highcountess
[dead]
JTyQZSnP3cQGa8B
You like decentralized money without laws and accountability, but would like to have a central thing (TBD) that is accountable and respect laws? How would that work?
zer0x4d
I'm not too sure but few things come to mind:
1. Upgrade protocol to include protections for well known cold wallets held by exchanges (ex: API call has to be made to the exchange's security endpoint to validate each transaction out of the wallet. Exchange staff would need to manually allowlist large transactions before they are transmitted).
2. Decentralized voting on reversal of transactions (90-95%+ vote needed to reverse to avoid 51% attacks)
jeswin
This is getting pretty close to the banking system, at which point one needs to ask - maybe just improve existing protocols?
j8k99kuyr
> 2. Decentralized voting on reversal of transactions (90-95%+ vote needed to reverse to avoid 51% attacks)
Couldn't you technically just 'git checkout' a previous commit from before the fraudulent transaction occurred and pretend it never happened? Isn't the real problem that you'd have to convince a majority of users to do the same?
killerstorm
Ethereum is programmable, such a protocol can be implemented as a smart contract.
rs186
Not going to work, otherwise it would already have been done.
People who control or take advantage of cryptocurrency don't want this to happen.
lucianbr
Good luck getting 90% of a large group of people to vote the sky is blue.
scyclow
I think the move is less having a central thing and more advancing wallet and multisig technology. ByBit was pretty reckless by using a simple majority multisig to hold $1.5b. At that level you should probably have a few speed bumps. Like, maybe a majority of signatures allows you to make a proposal, but you can only accept the proposal after a couple hours, which would give you the chance to see the malicious transaction and bail on it.
Something like that would probably be overkill for individuals, but most people would definitely benefit from some added on chain bureaucracy regarding how their accounts are managed. And yes, for many this would lead to a system that isn't notably less centralized than the traditional banking system. But people would at least have a choice as to where their wallets gets to sit on the bureaucracy <> complete freedom spectrum. And even if they end up closer to the bureaucracy end, they'd have a lot more flexibility and lower administrative fees than what they currently have.
otabdeveloper4
> let's reinvent the banking system except worse in every way
silisili
Right on. My bank calls me every time I send money out. And I'm talking like $50. I used to find it annoying, but now I'm blown away every financial system doesn't...
cmcaleer
On the one hand, I understand banks attempting to protect customers and limit liability, on the other hand, frankly I have better things to do with my time than spend 30 minutes waiting in a phone queue because I had the audacity to go on holiday and attempt to spend $20 on ice cream.
nilamo
Those all sound like stated objectives of crypto.
j8k99kuyr
Code is law, no?
JamesLefrere
Solutions have existed for years (eg Gnosis Safe), they just aren’t being used by that exchange.
mhmmmmmm
Bybit was quite literally using Gnosis Safe for the compromised wallet.
zer0x4d
I can't believe someone posted that without knowing they actually used Gnosis Safe
JamesLefrere
lol. Good times.
jgilias
Can’t tell if you’re trolling here or not, but good one either way!
UncleMeat
"Please rest assured that all other cold wallets are secure."
Unreal.
otabdeveloper4
He means "...secure. (For now.)"
He just left off the implied part.
qingcharles
Can someone even explain what Bybit is actually about? I searched around when the hack was announced, but I'm very confused. Mostly what I saw said "scam" on it.
This isn't your run-of-the-mill Coinbase style exchange, right?
cypherpunks01
It's the second largest crypto exchange by volume globally, behind Binance. Specialized in derivatives but they have lots of regular retail products that you might find at Coinbase. Basically like a bigger version of Coinbase from Asia.
billfruit
Also a major sponsor of Red bull Racing in Formula 1.
mkagenius
A crypto exchange WazirX was hacked for ~$300M, roughly 50% of the users fund gone.
There is no action on the CEO since the hack in July 2024. He sits in Dubai. He just got a nod from Supreme Court of SG to just average out the funds and distribute it among the users.
No action has been initiated against the company/ceo for losing the fund. He is geared up to launch another company/exchange.
ycombinatrix
What action can be taken? There's no law against getting hacked or being a moron.
ghhrjfkt4k
There is a law against gross negligence. Holding client money comes with other obligations too.
joshstrange
It’s not money though. It’s property at best. It doesn’t get held to the same standards.
CryptoBros are all about “no laws, do whatever” right up until the, inevitable, point at which /they/ are getting swindled and then they want to cry foul and run to the authorities.
It’s just like the whole DAO situation which showed “Crypto is immutable and we want to live and die by the code unless of course someone finds a flaw in the code and steals our money, then we will roll back the immutable chain to recover it” what a farce.
EVa5I7bHFq9mnYK
Atomic Wallet users lost $100M in June 2023 hack, the company continues to operate as if nothing happened, no word of any restitution to the users.
highcountess
[dead]
sleazebreeze
What are the chances that a Bybit insider is behind this?
hinkley
Or former insider.
I spent several years pointing out to my last employer that every former employee could have walked off with secrets that allowed them access to our backends. The were already slowly working on hardening write access but read access was still being worked on a couple months before I left, when I got to write about half of the last mile code for the user facing bits.
This is not a unique experience by any means. I’ve seen this sort of thing enough to pay attention when acquaintances bitch about it too.
Falimonda
Are these business-owned exchanges and managed wallets not fundamentally incompatible with making guarantees of security? Is anyone doing it the "right" way and what does the right way even look like?
hinkley
I don't know the answer to that, I only have guesses.
But one mistake we make over and over is that we write code that just does its best to answer questions as quickly as possible. And when those questions show up 10x as quickly as they have any other time in our company history, they either just plug right along or maybe throw an error.
Someone shouldn't be able to empty a billion dollars out of an exchange in 10 minutes, unless they do $250B in daily traffic. And I suspect most of them can be, and in even less time than that.
mvdtnz
10000%. You would have to be soft in the head to not conclude that's the case.
karmakaze
I have no idea how crypto exchanges work. Could someone ELI5 some of this? I have questions:
Did the cold storage wallet contain users' ETH? That seems implied by "Can Cover Loss".
If so, why does a crypto exchange hold users' ETH in a wallet that can execute transactions without said user's authorization/password for each transaction. Doesn't even Facebook require entering a password every time to change certain profile settings?
Or maybe more generally, why does there need to be such a large cold-storage wallet to run an exchange?
Also how or why would they have the assets to be able to cover this?
There's some other seemingly conflicting info I found in searches for Bybit:
- Bybit is not legal in Canada. Bybit is restricted in Canada and other jurisdictions, including the United States, the United Kingdom, and Singapore.
- Bybit originates from Singapore, a global hub for cryptocurrency and blockchain technology. Singapore has a favorable regulatory environment for cryptocurrencies, which has attracted many exchanges to establish their headquarters there.
- There's also a mix of results where some say Bybit is safe/secure and others saying they aren't (irrespective of this event). This story seems to indicate that they had measures to make it safe, but it didn't save them.
rNULLED
> have a wallet, work at bybit > understand backdoor > steal money from your account, some from others > bybit pays you back > still have money you stole
a related blog from Trail of Bits about the opsec failure of this: https://news.ycombinator.com/item?id=43140754