bybit updates

tayvano · Feb 26, 2025 · 992c7f1 · 992c7f1
1 parent 8295cb4
commit 992c7f1
Show file tree

Hide file tree

Showing 2 changed files with 226 additions and 61 deletions.
diff --git a/hacks-and-thefts/bybit.md b/hacks-and-thefts/bybit.md
@@ -14,9 +14,21 @@ Tags:: 👛 TraderTraitor
 
 > Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe. However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure.  All withdraws are NORMAL. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated.  https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c
 
-— [Source](https://x.com/benbybit/status/1892963530422505586)
+— [@benbybit](https://x.com/benbybit/status/1892963530422505586)
 
 
+> At a high level, the hack involved the 4 broad group of events:
+
+> 1. Attacker deployed a trojan contract and a backdoor contract.
+
+> 2. Attacker tricked signers of the upgradeable multisig "cold" wallet to authorize a malicious ERC-20 transfer to a trojan contract
+
+> 3. Instead of transferring tokens, trojan contract replaces the master copy of the actual Safe multisig implementation contract with the backdoor contract, which is solely controlled by the attacker.
+
+> 4. The attacker called sweepETH and sweepERC20 to drain the wallet of all its native ETH, mETH, stETH, and cmETH tokens.
+
+—[@dhkleung](https://x.com/dhkleung/status/1893073663391604753)
+
 
 ## URLs
 
@@ -32,67 +44,98 @@ Tags:: 👛 TraderTraitor
 
 - https://x.com/jconorgrogan/status/1892967018841743410
 
+- https://x.com/benbybit/status/1892963530422505586
+
+- https://x.com/dhkleung/status/1893073663391604753
+
+
+
 
 ## Onchain
 
-- 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84 - Testing
-- 0x0fa09c3a328792253f8dee7116848723b72a6d2e - Exploiter
-- 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 - Direct Theft 
-- 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e - Swapping stETH
+## Malicious Txn
+
+- [Safe Txn JSON](../malicious-shit/bybit-safe-tx-71.json)
+
+- https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882
+
+- 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4 - "Bybit Cold Wallet 1" (Safe)
+- 0x1F4EB0a903619ac168b19A82F1a6e2e426522211 - Signer 1
+- 0x3Cc3A225769900e003E264dd4CB43E90896BC21A - Signer 2
+- 0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E - Signer 3
+
+
+## Addresses
+
+- 0x19C6876E978D9F128147439ac4cd9EA2582cd141 - Testing Contract
+- 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84 - Testing EOA
+
+- 0x96221423681A6d52E184D440a8eFCEbB105C7242 - First Contract (unused)
+- 0x2444c026ebe6d476e97baeb003071bea9c13a953 - Another Contract (no sneaky slot 0)
+- 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516 - Malicious Implementation Contract (used in the attack)
+- 0x0fa09c3a328792253f8dee7116848723b72a6d2e - Exploiter EOA
+
 - 0x1542368a03ad1f03d96d51b414f4738961cf4443 - Withdrawing cmETH
-- 0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6
-- 0xe69753Ddfbedbd249E703EB374452E78dae1ae49
-- 0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806
-- 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d
-- 0x0e8C1E2881F35Ef20343264862A242FB749d6b35
-- 0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a
-- 0x23Db729908137cb60852f2936D2b5c6De0e1c887
-- 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3
-- 0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
-- 0x36ed3C0213565530C35115d93A80F9c04d94E4Cb
-- 0x1bb0970508316DC735329752a4581E0a4bAbc6B4
-- 0x6d46bd3AfF100f23C194e5312f93507978a6DC91
-- 0xb172F7e99452446f18FF49A71bfEeCf0873003b4
-- 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D
-- 0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465
-- 0x684d4b58Dc32af786BF6D572A792fF7A883428B9
-- 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67
-- 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D
-- 0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2
-- 0x2290937A4498C96eFfb87b8371a33D108F8D433f
-- 0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305
-- 0x09278b36863bE4cCd3d0c22d643E8062D7a11377
-- 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e
-- 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57
-- 0x3A21F4E6Bbe527D347ca7c157F4233c935779847
-- 0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49
-- 0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9
-- 0xBCA02B395747D62626a65016F2e64A20bd254A39
-- 0xD3C611AeD139107DEC2294032da3913BC26507fb
-- 0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd
-- 0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b
-- 0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab
-- 0xBC3e5e8C10897a81b63933348f53f2e052F89a7E
-- 0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4
-- 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
-- 0xf0a16603289eAF35F64077Ba3681af41194a1c09
-- 0x30a822CDD2782D2B2A12a08526452e885978FA1D
-- 0x83Ef5E80faD88288F770152875Ab0bb16641a09E
-- 0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950
-- 0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9
-- 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
-- 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
-- 0x1512fcb09463A61862B73ec09B9b354aF1790268
-- 0x723a7084028421994d4a7829108D63aB44658315
-- 0xEB0bAA3A556586192590CAD296b1e48dF62a8549
-- 0x21032176B43d9f7E9410fB37290a78f4fEd6044C
-- 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
-- 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489
-- 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
-- 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
-
-
-
-## IoCs
-
-- 212.30.33.XXX
+
+- 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 - Direct Theft (401,346 ETH + 90,375 stETH)
+
+- 0x36ed3c0213565530c35115d93a80f9c04d94e4cb - moved feb 21/22 (10,000 ETH)
+- 0xaf620e6d32b1c67f3396ef5d2f7d7642dc2e6ce9 - moved feb 22 (10,000 ETH)
+- 0xfa3fcccb897079fd83bfba690e7d47eb402d6c49 - moved feb 23 (10,000 ETH)
+- 0xfc926659dd8808f6e3e0a8d61b20b871f3fa6465 - moved feb 23 (10,000 ETH)
+- 0x3a21f4e6bbe527d347ca7c157f4233c935779847 - moved feb 23 (10,000 ETH)
+- 0x51e9d833ecae4e8d9d8be17300aee6d3398c135d - moved feb 24 (10,000 ETH)
+- 0x83ef5e80fad88288f770152875ab0bb16641a09e - moved feb 24 (10,000 ETH)
+- 0x83c7678492d623fb98834f0fbcb2e7b7f5af8950 - moved feb 24 (10,000 ETH)
+- 0x96244d83dc15d36847c35209bbdc5bdde9bec3d8 - moved feb 24 (10,000 ETH)
+- 0xcd1a4a457ca8b0931c3bf81df3cfa227adbdb6e9 - moved feb 25 (10,000 ETH)
+- 0x09278b36863be4ccd3d0c22d643e8062d7a11377 - moved feb 25 (10,000 ETH)
+- 0x1eb27f136bfe7947f80d6cee3cf0bfdf92b45e57
+- 0xd3c611aed139107dec2294032da3913bc26507fb
+- 0xb172f7e99452446f18ff49a71bfeecf0873003b4
+- 0xcd7ec020121ead6f99855cbb972df502db5bc63a
+- 0xe69753ddfbedbd249e703eb374452e78dae1ae49
+- 0x2290937a4498c96effb87b8371a33d108f8d433f
+- 0x1bb0970508316dc735329752a4581e0a4babc6b4
+- 0x52207ec7b1b43aa5db116931a904371ae2c1619e
+- 0xb72334cb9d0b614d30c4c60e2bd12ff5ed03c305
+- 0x4c198b3b5f3a4b1aa706dac73d826c2b795ccd67
+- 0x30a822cdd2782d2b2a12a08526452e885978fa1d
+- 0x660bfcea3a5faf823e8f8bf57dd558db034dea1d
+- 0x6d46bd3aff100f23c194e5312f93507978a6dc91
+- 0x8c7235e1a6eef91b980d0fca083347fbb7ee1806
+- 0x140c9ab92347734641b1a7c124ffdee58c20c3e3
+- 0x0e8c1e2881f35ef20343264862a242fb749d6b35
+- 0x9ef42873ae015aa3da0c4354aef94a18d2b3407b
+- 0x40e98feeebad7ddb0f0534ccaa617427ea10187e
+- 0xbca02b395747d62626a65016f2e64a20bd254a39
+- 0x684d4b58dc32af786bf6d572a792ff7a883428b9
+- 0x23db729908137cb60852f2936d2b5c6de0e1c887
+- 0xbde2cc5375fa9e0383309a2ca31213f2d6cabcbd
+- 0xe9bc552fdfa54b30296d95f147e3e0280ff7f7e6
+- 0x9271eddda0f0f2bb7b1a0c712bdf8dbd0a38d1ab
+- 0xbc3e5e8c10897a81b63933348f53f2e052f89a7e
+- 0xf0a16603289eaf35f64077ba3681af41194a1c09
+- 0x5af75eab6bec227657fa3e749a8bfd55f02e4b1d
+- 0xb4a862a81abb2f952fca4c6f5510962e18c7f1a2
+- 0x959c4ca19c4532c97a657d82d97accbab70e6fb4
+
+- 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e - 90,375 stETH + 8,000 meth + 1 ETH
+- 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92 - 98,048 ETH (moved feb 21) (8,048 ETH Balance)
+- 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734 - 10,000 ETH
+- 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1 - 10,000 ETH
+- 0x1512fcb09463A61862B73ec09B9b354aF1790268 - 10,000 ETH
+- 0x723a7084028421994d4a7829108D63aB44658315 - 10,000 ETH
+- 0xEB0bAA3A556586192590CAD296b1e48dF62a8549 - 10,000 ETH
+- 0x21032176B43d9f7E9410fB37290a78f4fEd6044C - 10,000 ETH
+- 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6 - 10,000 ETH
+- 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489 - 10,000 ETH
+- 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be - 10,000 ETH
+
+## Indicators
+
+- 212.30.33.XXX - Feb 21
+- 163.5.241.XXX - Feb 21
+- 194.5.53.XXX - Feb 21
+
+
diff --git a/malicious-shit/bybit-safe-tx-71.json b/malicious-shit/bybit-safe-tx-71.json
@@ -0,0 +1,122 @@
+{
+  "count": 2,
+  "next": null,
+  "previous": null,
+  "results": [
+    {
+      "safe": "0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4",
+      "to": "0x96221423681A6d52E184D440a8eFCEbB105C7242",
+      "value": "0",
+      "data": "0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be29695160000000000000000000000000000000000000000000000000000000000000000",
+      "operation": 1,
+      "gasToken": "0x0000000000000000000000000000000000000000",
+      "safeTxGas": 45746,
+      "baseGas": 0,
+      "gasPrice": "0",
+      "refundReceiver": "0x0000000000000000000000000000000000000000",
+      "nonce": 71,
+      "executionDate": "2025-02-21T14:13:35Z",
+      "submissionDate": "2025-02-21T14:13:35Z",
+      "modified": "2025-02-21T14:13:35Z",
+      "blockNumber": 21895238,
+      "transactionHash": "0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882",
+      "safeTxHash": "0xb3476d061aeb8fc1d605a873c483a2402d88a68a9cdd1a8b47655dd55ba004f8",
+      "proposer": null,
+      "proposedByDelegate": null,
+      "executor": "0x0fa09C3A328792253f8dee7116848723b72a6d2e",
+      "isExecuted": true,
+      "isSuccessful": true,
+      "ethGasPrice": "10000000000",
+      "maxFeePerGas": null,
+      "maxPriorityFeePerGas": null,
+      "gasUsed": 70224,
+      "fee": "702240000000000",
+      "origin": "{}",
+      "dataDecoded": null,
+      "confirmationsRequired": 3,
+      "confirmations": [
+        {
+          "owner": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211",
+          "submissionDate": "2025-02-21T14:13:35Z",
+          "transactionHash": null,
+          "signature": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f",
+          "signatureType": "ETH_SIGN"
+        },
+        {
+          "owner": "0x3Cc3A225769900e003E264dd4CB43E90896BC21A",
+          "submissionDate": "2025-02-21T14:13:35Z",
+          "transactionHash": null,
+          "signature": "0x0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221f",
+          "signatureType": "ETH_SIGN"
+        },
+        {
+          "owner": "0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E",
+          "submissionDate": "2025-02-21T14:13:35Z",
+          "transactionHash": null,
+          "signature": "0xdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f",
+          "signatureType": "ETH_SIGN"
+        }
+      ],
+      "trusted": true,
+      "signatures": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f"
+    },
+    {
+      "safe": "0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4",
+      "to": "0x88a1493366D48225fc3cEFbdae9eBb23E323Ade3",
+      "value": "30000000000000000000000",
+      "data": null,
+      "operation": 0,
+      "gasToken": "0x0000000000000000000000000000000000000000",
+      "safeTxGas": 45745,
+      "baseGas": 0,
+      "gasPrice": "0",
+      "refundReceiver": "0x0000000000000000000000000000000000000000",
+      "nonce": 71,
+      "executionDate": null,
+      "submissionDate": "2025-02-21T05:42:39Z",
+      "modified": "2025-02-21T14:11:39.370597Z",
+      "blockNumber": null,
+      "transactionHash": null,
+      "safeTxHash": "0x9d89e67333f99c136537be74029c44592985a4855172f4c2d0d942029868f98e",
+      "proposer": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211",
+      "proposedByDelegate": null,
+      "executor": null,
+      "isExecuted": false,
+      "isSuccessful": true,
+      "ethGasPrice": null,
+      "maxFeePerGas": null,
+      "maxPriorityFeePerGas": null,
+      "gasUsed": null,
+      "fee": null,
+      "origin": "{}",
+      "dataDecoded": null,
+      "confirmationsRequired": 3,
+      "confirmations": [
+        {
+          "owner": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211",
+          "submissionDate": "2025-02-21T05:42:40.788469Z",
+          "transactionHash": null,
+          "signature": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f",
+          "signatureType": "ETH_SIGN"
+        },
+        {
+          "owner": "0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E",
+          "submissionDate": "2025-02-21T13:44:22.889083Z",
+          "transactionHash": null,
+          "signature": "0xdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f",
+          "signatureType": "ETH_SIGN"
+        },
+        {
+          "owner": "0x3Cc3A225769900e003E264dd4CB43E90896BC21A",
+          "submissionDate": "2025-02-21T14:11:40.728213Z",
+          "transactionHash": null,
+          "signature": "0x0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221f",
+          "signatureType": "ETH_SIGN"
+        }
+      ],
+      "trusted": true,
+      "signatures": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f"
+    }
+  ],
+  "countUniqueNonce": 72
+}