Bybit Hack：攻击方式的详细崩溃，揭示了安全性的主要失误

最近的15亿美元的Bybit Hack引起了严重的安全问题，报道说，攻击者使用了一种高度复杂的方法来耗尽数百万美元的加密资产。

A recent hack on Bybit, a centralized crypto exchange, has resulted in the loss of an estimated $1.5 billion in crypto assets. The attackers reportedly used a highly advanced method to drain millions from the platform. Crypto analyst David Leung has provided a detailed analysis of the attack, highlighting major lapses in Bybit's security measures.

最近对集中加密交易所Bybit的黑客攻击，导致估计损失了约15亿美元的加密资产。据报道，攻击者使用了一种高级高级方法来从平台上排出数百万美元。加密分析师David Leung对攻击进行了详细的分析，强调了Bybit安全措施中的主要失误。

According to Arkham's report, the Bybit hack was executed through a technique known as “Blind Signing,” which allows transactions to be approved without fully disclosing all the details. In this case, the attackers managed to compromise Bybit's ETH cold wallet, swiftly moving nearly $1.5 billion in assets into a single wallet before distributing them further across multiple wallets.

根据Arkham的报告，Bybit Hack是通过一种称为“盲人签名”的技术执行的，该技术允许交易获得批准，而无需完全披露所有细节。在这种情况下，攻击者设法妥协了Bybit的Eth Cold Wallet，迅速将近15亿美元的资产转移到一个钱包中，然后再将其分配到多个钱包中。

Considering the decentralized nature of crypto assets and the lack of uniform laws for international crimes, it may be challenging for Bybit to recover the lost funds. However, in a related development, Bybit has announced a 50,000 ARKM bounty for any information that can lead to the attackers and further aid in the investigation.

考虑到加密资产的分散性质以及缺乏国际犯罪的统一法律，拜比特收回损失的资金可能具有挑战性。但是，在相关的发展中，Bybit宣布了50,000 ARKM赏金，以获取可能导致攻击者并进一步帮助调查的任何信息。

Here's a closer look at the events and steps to stay protected.

这是一个仔细研究的事件和步骤，以保持保护。

How the Attack Unfolded

攻击是如何展开的

The attackers deployed a trojan contract and a backdoor contract to set a trap for Bybit's upgradeable multisig wallet. They deceived the wallet's signers into authorizing a seemingly harmless ERC-20 token transfer, but the transaction included a concealed delegate call — a function that allows them to alter the contract's core logic. Instead of a simple transfer, the attackers used the trojan contract to replace the wallet's master contract with their own backdoor contract, essentially granting them complete control.

攻击者部署了特洛伊木马合同和后门合同，为Bybit可升级的Multisig Wallet设定了陷阱。他们欺骗了钱包的签名者授权看似无害的ERC-20代币转移，但交易包括一个隐藏的代表呼叫，该功能使他们可以更改合同的核心逻辑。攻击者不是简单的转会，而是使用特洛伊木马合同用自己的后门合同代替了钱包的主合同，从而实质上授予他们完全控制。

Once in command, the hackers executed commands to sweep all available ETH, mETH, stETH, and cmETH tokens from the wallet. Notably, the backdoor contract was designed to perform only two functions: transferring ETH and ERC-20 tokens to an address of their choice, enabling them to rapidly drain the funds before Bybit could intervene.

一旦命令，黑客执行了命令，将所有可用的ETH，Meth，Steth和Cmeth tokens从钱包中扫除。值得注意的是，后门合同旨在执行两种功能：将ETH和ERC-20代币转移到他们选择的地址，使他们能够在Bybit可以进行干预之前快速耗尽资金。

Red Flags Ignored by Exchange

Exchange忽略了危险信号

Leung further highlighted several red flags that should have prompted the exchange to halt the transaction. The transfer was directed to an unlisted contract that didn't adhere to the ERC-20 standard, involved zero tokens, and utilized a delegate call to alter contract logic. These loopholes typically trigger a compliance check, yet the transaction was still processed. The attackers' deep understanding of Bybit's operations suggests they may have had inside assistance.

Leung进一步强调了几个危险信号，这些危险信号应该促使交换停止交易。转让是指向不符合ERC-20标准的未列出合同，涉及零令牌，并利用代表呼叫来改变合同逻辑。这些漏洞通常会触发合规性检查，但仍在处理交易。攻击者对Bybit行动的深刻理解表明，他们可能有内部协助。

Could This Have Been Prevented?

可以避免这种情况吗？

According to David, the attack could have been thwarted by implementing more stringent pre- and post-signing security checks. If independent security layers had examined the transaction, they might have detected the suspicious elements and prevented its approval. The hack showcases the increasing sophistication of crypto attacks and the pressing need for the industry to adopt more robust security protocols.

根据戴维的说法，这次攻击本来可以通过实施更严格的固定安全性检查来挫败。如果独立安全层检查了交易，他们可能会发现可疑元素并阻止其批准。该黑客展示了加密攻击的越来越复杂，以及该行业采用更强大的安全协议的迫切需求。

Don't Miss a Beat in the Crypto World!

不要错过加密世界中的节拍！

Stay up to date with breaking news, expert analysis, and real-time updates on the latest trends in Bitcoin, altcoins, DeFi, NFTs, and more.

了解最新的新闻，专家分析和实时更新比特币，AltCoins，Defi，NFT等。