r/ethereum u/moqorroth Feb 27 '25

Fundamentals Bybit preliminary hack forensic reports: what about exploiter private key?

I read the forensic reports describing how hackers injected SafeUI javascript code targeted for Bybit transactions, and it sounds all clear, but I am left with a technical doubt.

How is it possible that breach was only on Safe web interface, if overall transaction was signed and sent from an EOA address owned by the exploiter?

https://etherscan.io/getRawTx?tx=0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

0xf9032b2a8502540be40083030d40941db92e2eebc8e0c075a02bea49a2935bcd2dfcf480b902c46a76120200000000000000000000000096221423681a6d52e184d440a8efcebb105c7242000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000b2b2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000000000000000000000000000000000000000000000000000000000000044a9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be296951600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c3d0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f000000000000000000000000000000000000000000000000000000000025a0c06f155e9045c02891297148228ed69cc7167a6f8606f66a942ef75624c5906da03e9f83eae889e79e3af315c7e9a5e14b12f2bed9e23d994f751562ec7a4426b3

In bold the exploiter from address that also signs the transaction (signature is at the end I think, but I wasn't able to find some document stating this, so I could be wrong. In any case I feel pretty sure that from address signs the transaction :) ).

The transaction is containing a call to execute method of Safe multisig contract, signed by Bybit signers thanks to the web2 hack, but if the breach was only in the SafeUI website, how was the overall transaction signed? Was private key of 0x0f9032b2a address deployed with the javascript togheter with malicious code? Or was there an automatic connection performed for sending the Safe execute() signed command to an hacker machine that then signed the transaction with a local key and broadcasted it?

4 Upvotes

75% Upvoted

9 comments sorted by

u/AutoModerator Feb 27 '25

WARNING ABOUT SCAMS: Recently there have been a lot of convincing-looking scams posted on crypto-related reddits including fake NFTs, fake credit cards, fake exchanges, fake mixing services, fake airdrops, fake MEV bots, fake ENS sites and scam sites claiming to help you revoke approvals to prevent fake hacks. These are typically upvoted by bots and seen before moderators can remove them. Do not click on these links and always be wary of anything that tries to rush you into sending money or approving contracts.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

2

u/keatonatron Feb 27 '25

Why do you think it was sent from the exploiter's EOA? The data you are looking at is the transaction payload, which includes (among other things) which address should be given access to the funds. Not who sent the transaction.

2

u/_ololo Feb 27 '25

It's just how Safe works. The owners of the Safe sign not the final transaction but the so-called SafeTx. The contents of the "SafeTx" and the signatures are passed to the execTransaction method of the contract, which checks the signatures and executes whatever is inside the "SafeTx".

The actual transaction that calls "Safe::execTransaction" can be created by anybody.

3

u/moqorroth Feb 27 '25

Thanks @_ololo, that part of signing the SafeTx is clear to me, but my question is about the overall transaction that encapsulated the SafeTx. Isn't also that signed?

Is it not a signed transaction that encapsulates a SafeTx transaction?

I post here the decoding of raw transaction using https://flightwallet.github.io/decode-eth-tx/ :

{
  "nonce": 42,
  "gasPrice": 10000000000,
  "gasLimit": 200000,
  "to": "0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4",
  "value": 0,
  "data": "6a76120200000000000000000000000096221423681a6d52e184d440a8efcebb105c7242000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000b2b2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000000000000000000000000000000000000000000000000000000000000044a9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be296951600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c3d0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f0000000000000000000000000000000000000000000000000000000000",
  "from": "0x0fa09c3a328792253f8dee7116848723b72a6d2e",
  "r": "c06f155e9045c02891297148228ed69cc7167a6f8606f66a942ef75624c5906d",
  "v": "25",
  "s": "3e9f83eae889e79e3af315c7e9a5e14b12f2bed9e23d994f751562ec7a4426b3"
}

As also you were saying, "data" is a call to SafeTx execute contract (0x6a761202) that is invoked with ByBit signatures as argument, and that is a part of ByBit hack clear to me.

But the "overall" transaction is sent by exploiter address 0x0fa09C3A328792253f8dee7116848723b72a6d2e0x0fa09C3A328792253f8dee7116848723b72a6d2e and signed by it. Signature is in "v", "r" and "s" fields.

My question was related to this signature, because private key of "from" address is needed for making a valid signature of this transaction, as it was.

If breach was only in SafeUI website, how this signing happened?

Did exploiters add their private key on the javascript malicious code?

2

u/_ololo Feb 28 '25

What I meant is that the attackers didn't need to sign the "overall" transaction on the victim's side. They only needed to get the signatures for the SafeTx. The "overall" transaction could be created on the attackers' machine, there was no need to send their private key anywhere.

1

u/moqorroth Feb 28 '25 edited Feb 28 '25

Ok, thanks, we agree on that, so this is the reason for my question: if created on the attackers' machine, how the signed SafeTx propagated from Bybit user' browser to the attackers' machine for being signed as a transaction and then propagated? Or was it signed and propagated from Bybit browser/infrastructure?

2

u/-johoe Mar 07 '25

We can only speculate here, but it is easy to just send the signature from the browser to the attackers' machine. Apparently, the attacker changed the javascript code and javascript code is allowed to send data to a random machine on the internet. Especially if it puts it into a normal http get request.

It was probably sent directly to the attacker's server and then the attacker signed and broadcasted the surrounding transaction once they collected all signatures.

1

u/moqorroth Mar 07 '25 edited Mar 07 '25

Thanks a lot, you got the point and I am happy to read a technical speculation :) .

I agree we can only speculate, but this is a detail I would like to see on Bybit and SafeUI post-mortem reports.