Bybit Hack：攻擊方式的詳細崩潰，揭示了安全性的主要失誤

最近的15億美元的Bybit Hack引起了嚴重的安全問題，報導說，攻擊者使用了一種高度複雜的方法來耗盡數百萬美元的加密資產。

A recent hack on Bybit, a centralized crypto exchange, has resulted in the loss of an estimated $1.5 billion in crypto assets. The attackers reportedly used a highly advanced method to drain millions from the platform. Crypto analyst David Leung has provided a detailed analysis of the attack, highlighting major lapses in Bybit's security measures.

最近對集中加密交易所Bybit的黑客攻擊，導致估計損失了約15億美元的加密資產。據報導，攻擊者使用了一種高級高級方法來從平台上排出數百萬美元。加密分析師David Leung對攻擊進行了詳細的分析，強調了Bybit安全措施中的主要失誤。

According to Arkham's report, the Bybit hack was executed through a technique known as “Blind Signing,” which allows transactions to be approved without fully disclosing all the details. In this case, the attackers managed to compromise Bybit's ETH cold wallet, swiftly moving nearly $1.5 billion in assets into a single wallet before distributing them further across multiple wallets.

根據Arkham的報告，Bybit Hack是通過一種稱為“盲人簽名”的技術執行的，該技術允許交易獲得批准，而無需完全披露所有細節。在這種情況下，攻擊者設法妥協了Bybit的Eth Cold Wallet，迅速將近15億美元的資產轉移到一個錢包中，然後再將其分配到多個錢包中。

Considering the decentralized nature of crypto assets and the lack of uniform laws for international crimes, it may be challenging for Bybit to recover the lost funds. However, in a related development, Bybit has announced a 50,000 ARKM bounty for any information that can lead to the attackers and further aid in the investigation.

考慮到加密資產的分散性質以及缺乏國際犯罪的統一法律，拜比特收回損失的資金可能具有挑戰性。但是，在相關的發展中，Bybit宣布了50,000 ARKM賞金，以獲取可能導致攻擊者並進一步幫助調查的任何信息。

Here's a closer look at the events and steps to stay protected.

這是一個仔細研究的事件和步驟，以保持保護。

How the Attack Unfolded

攻擊是如何展開的

The attackers deployed a trojan contract and a backdoor contract to set a trap for Bybit's upgradeable multisig wallet. They deceived the wallet's signers into authorizing a seemingly harmless ERC-20 token transfer, but the transaction included a concealed delegate call — a function that allows them to alter the contract's core logic. Instead of a simple transfer, the attackers used the trojan contract to replace the wallet's master contract with their own backdoor contract, essentially granting them complete control.

攻擊者部署了特洛伊木馬合同和後門合同，為Bybit可升級的Multisig Wallet設定了陷阱。他們欺騙了錢包的簽名者授權看似無害的ERC-20代幣轉移，但交易包括一個隱藏的代表呼叫，該功能使他們可以更改合同的核心邏輯。攻擊者不是簡單的轉會，而是使用特洛伊木馬合同用自己的後門合同代替了錢包的主合同，從而實質上授予他們完全控制。

Once in command, the hackers executed commands to sweep all available ETH, mETH, stETH, and cmETH tokens from the wallet. Notably, the backdoor contract was designed to perform only two functions: transferring ETH and ERC-20 tokens to an address of their choice, enabling them to rapidly drain the funds before Bybit could intervene.

一旦命令，黑客執行了命令，將所有可用的ETH，Meth，Steth和Cmeth tokens從錢包中掃除。值得注意的是，後門合同旨在執行兩種功能：將ETH和ERC-20代幣轉移到他們選擇的地址，使他們能夠在Bybit可以進行干預之前快速耗盡資金。

Red Flags Ignored by Exchange

Exchange忽略了危險信號

Leung further highlighted several red flags that should have prompted the exchange to halt the transaction. The transfer was directed to an unlisted contract that didn't adhere to the ERC-20 standard, involved zero tokens, and utilized a delegate call to alter contract logic. These loopholes typically trigger a compliance check, yet the transaction was still processed. The attackers' deep understanding of Bybit's operations suggests they may have had inside assistance.

Leung進一步強調了幾個危險信號，這些危險信號應該促使交換停止交易。轉讓是指向不符合ERC-20標準的未列出合同，涉及零令牌，並利用代表呼叫來改變合同邏輯。這些漏洞通常會觸發合規性檢查，但仍在處理交易。攻擊者對Bybit行動的深刻理解表明，他們可能有內部協助。

Could This Have Been Prevented?

可以避免這種情況嗎？

According to David, the attack could have been thwarted by implementing more stringent pre- and post-signing security checks. If independent security layers had examined the transaction, they might have detected the suspicious elements and prevented its approval. The hack showcases the increasing sophistication of crypto attacks and the pressing need for the industry to adopt more robust security protocols.

根據戴維的說法，這次攻擊本來可以通過實施更嚴格的固定安全性檢查來挫敗。如果獨立安全層檢查了交易，他們可能會發現可疑元素並阻止其批准。該黑客展示了加密攻擊的越來越複雜，以及該行業採用更強大的安全協議的迫切需求。

Don't Miss a Beat in the Crypto World!

不要錯過加密世界中的節拍！

Stay up to date with breaking news, expert analysis, and real-time updates on the latest trends in Bitcoin, altcoins, DeFi, NFTs, and more.

了解最新的新聞，專家分析和實時更新比特幣，AltCoins，Defi，NFT等。