From 992c7f10592ee525f329629126b06283aba23026 Mon Sep 17 00:00:00 2001 From: Tay Date: Wed, 26 Feb 2025 06:29:42 -0800 Subject: [PATCH] bybit updates --- hacks-and-thefts/bybit.md | 165 +++++++++++++++++---------- malicious-shit/bybit-safe-tx-71.json | 122 ++++++++++++++++++++ 2 files changed, 226 insertions(+), 61 deletions(-) create mode 100644 malicious-shit/bybit-safe-tx-71.json diff --git a/hacks-and-thefts/bybit.md b/hacks-and-thefts/bybit.md index 67bb4a6..9f9b47a 100644 --- a/hacks-and-thefts/bybit.md +++ b/hacks-and-thefts/bybit.md @@ -14,9 +14,21 @@ Tags:: 👛 TraderTraitor > Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe. However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure. All withdraws are NORMAL. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated. https://etherscan.io/tx/0xb61413c495fdad6114a7aa863a00b2e3c28945979a10885b12b30316ea9f072c -— [Source](https://x.com/benbybit/status/1892963530422505586) +— [@benbybit](https://x.com/benbybit/status/1892963530422505586) +> At a high level, the hack involved the 4 broad group of events: + +> 1. Attacker deployed a trojan contract and a backdoor contract. + +> 2. Attacker tricked signers of the upgradeable multisig "cold" wallet to authorize a malicious ERC-20 transfer to a trojan contract + +> 3. Instead of transferring tokens, trojan contract replaces the master copy of the actual Safe multisig implementation contract with the backdoor contract, which is solely controlled by the attacker. + +> 4. The attacker called sweepETH and sweepERC20 to drain the wallet of all its native ETH, mETH, stETH, and cmETH tokens. + +—[@dhkleung](https://x.com/dhkleung/status/1893073663391604753) + ## URLs @@ -32,67 +44,98 @@ Tags:: 👛 TraderTraitor - https://x.com/jconorgrogan/status/1892967018841743410 +- https://x.com/benbybit/status/1892963530422505586 + +- https://x.com/dhkleung/status/1893073663391604753 + + + ## Onchain -- 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84 - Testing -- 0x0fa09c3a328792253f8dee7116848723b72a6d2e - Exploiter -- 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 - Direct Theft -- 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e - Swapping stETH +## Malicious Txn + +- [Safe Txn JSON](../malicious-shit/bybit-safe-tx-71.json) + +- https://etherscan.io/tx/0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882 + +- 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4 - "Bybit Cold Wallet 1" (Safe) +- 0x1F4EB0a903619ac168b19A82F1a6e2e426522211 - Signer 1 +- 0x3Cc3A225769900e003E264dd4CB43E90896BC21A - Signer 2 +- 0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E - Signer 3 + + +## Addresses + +- 0x19C6876E978D9F128147439ac4cd9EA2582cd141 - Testing Contract +- 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84 - Testing EOA + +- 0x96221423681A6d52E184D440a8eFCEbB105C7242 - First Contract (unused) +- 0x2444c026ebe6d476e97baeb003071bea9c13a953 - Another Contract (no sneaky slot 0) +- 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516 - Malicious Implementation Contract (used in the attack) +- 0x0fa09c3a328792253f8dee7116848723b72a6d2e - Exploiter EOA + - 0x1542368a03ad1f03d96d51b414f4738961cf4443 - Withdrawing cmETH -- 0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6 -- 0xe69753Ddfbedbd249E703EB374452E78dae1ae49 -- 0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806 -- 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d -- 0x0e8C1E2881F35Ef20343264862A242FB749d6b35 -- 0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a -- 0x23Db729908137cb60852f2936D2b5c6De0e1c887 -- 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3 -- 0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8 -- 0x36ed3C0213565530C35115d93A80F9c04d94E4Cb -- 0x1bb0970508316DC735329752a4581E0a4bAbc6B4 -- 0x6d46bd3AfF100f23C194e5312f93507978a6DC91 -- 0xb172F7e99452446f18FF49A71bfEeCf0873003b4 -- 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D -- 0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465 -- 0x684d4b58Dc32af786BF6D572A792fF7A883428B9 -- 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67 -- 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D -- 0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2 -- 0x2290937A4498C96eFfb87b8371a33D108F8D433f -- 0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305 -- 0x09278b36863bE4cCd3d0c22d643E8062D7a11377 -- 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e -- 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57 -- 0x3A21F4E6Bbe527D347ca7c157F4233c935779847 -- 0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49 -- 0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9 -- 0xBCA02B395747D62626a65016F2e64A20bd254A39 -- 0xD3C611AeD139107DEC2294032da3913BC26507fb -- 0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd -- 0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b -- 0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab -- 0xBC3e5e8C10897a81b63933348f53f2e052F89a7E -- 0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4 -- 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e -- 0xf0a16603289eAF35F64077Ba3681af41194a1c09 -- 0x30a822CDD2782D2B2A12a08526452e885978FA1D -- 0x83Ef5E80faD88288F770152875Ab0bb16641a09E -- 0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950 -- 0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9 -- 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734 -- 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1 -- 0x1512fcb09463A61862B73ec09B9b354aF1790268 -- 0x723a7084028421994d4a7829108D63aB44658315 -- 0xEB0bAA3A556586192590CAD296b1e48dF62a8549 -- 0x21032176B43d9f7E9410fB37290a78f4fEd6044C -- 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6 -- 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489 -- 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be -- 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92 - - - -## IoCs - -- 212.30.33.XXX \ No newline at end of file + +- 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 - Direct Theft (401,346 ETH + 90,375 stETH) + +- 0x36ed3c0213565530c35115d93a80f9c04d94e4cb - moved feb 21/22 (10,000 ETH) +- 0xaf620e6d32b1c67f3396ef5d2f7d7642dc2e6ce9 - moved feb 22 (10,000 ETH) +- 0xfa3fcccb897079fd83bfba690e7d47eb402d6c49 - moved feb 23 (10,000 ETH) +- 0xfc926659dd8808f6e3e0a8d61b20b871f3fa6465 - moved feb 23 (10,000 ETH) +- 0x3a21f4e6bbe527d347ca7c157f4233c935779847 - moved feb 23 (10,000 ETH) +- 0x51e9d833ecae4e8d9d8be17300aee6d3398c135d - moved feb 24 (10,000 ETH) +- 0x83ef5e80fad88288f770152875ab0bb16641a09e - moved feb 24 (10,000 ETH) +- 0x83c7678492d623fb98834f0fbcb2e7b7f5af8950 - moved feb 24 (10,000 ETH) +- 0x96244d83dc15d36847c35209bbdc5bdde9bec3d8 - moved feb 24 (10,000 ETH) +- 0xcd1a4a457ca8b0931c3bf81df3cfa227adbdb6e9 - moved feb 25 (10,000 ETH) +- 0x09278b36863be4ccd3d0c22d643e8062d7a11377 - moved feb 25 (10,000 ETH) +- 0x1eb27f136bfe7947f80d6cee3cf0bfdf92b45e57 +- 0xd3c611aed139107dec2294032da3913bc26507fb +- 0xb172f7e99452446f18ff49a71bfeecf0873003b4 +- 0xcd7ec020121ead6f99855cbb972df502db5bc63a +- 0xe69753ddfbedbd249e703eb374452e78dae1ae49 +- 0x2290937a4498c96effb87b8371a33d108f8d433f +- 0x1bb0970508316dc735329752a4581e0a4babc6b4 +- 0x52207ec7b1b43aa5db116931a904371ae2c1619e +- 0xb72334cb9d0b614d30c4c60e2bd12ff5ed03c305 +- 0x4c198b3b5f3a4b1aa706dac73d826c2b795ccd67 +- 0x30a822cdd2782d2b2a12a08526452e885978fa1d +- 0x660bfcea3a5faf823e8f8bf57dd558db034dea1d +- 0x6d46bd3aff100f23c194e5312f93507978a6dc91 +- 0x8c7235e1a6eef91b980d0fca083347fbb7ee1806 +- 0x140c9ab92347734641b1a7c124ffdee58c20c3e3 +- 0x0e8c1e2881f35ef20343264862a242fb749d6b35 +- 0x9ef42873ae015aa3da0c4354aef94a18d2b3407b +- 0x40e98feeebad7ddb0f0534ccaa617427ea10187e +- 0xbca02b395747d62626a65016f2e64a20bd254a39 +- 0x684d4b58dc32af786bf6d572a792ff7a883428b9 +- 0x23db729908137cb60852f2936d2b5c6de0e1c887 +- 0xbde2cc5375fa9e0383309a2ca31213f2d6cabcbd +- 0xe9bc552fdfa54b30296d95f147e3e0280ff7f7e6 +- 0x9271eddda0f0f2bb7b1a0c712bdf8dbd0a38d1ab +- 0xbc3e5e8c10897a81b63933348f53f2e052f89a7e +- 0xf0a16603289eaf35f64077ba3681af41194a1c09 +- 0x5af75eab6bec227657fa3e749a8bfd55f02e4b1d +- 0xb4a862a81abb2f952fca4c6f5510962e18c7f1a2 +- 0x959c4ca19c4532c97a657d82d97accbab70e6fb4 + +- 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e - 90,375 stETH + 8,000 meth + 1 ETH +- 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92 - 98,048 ETH (moved feb 21) (8,048 ETH Balance) +- 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734 - 10,000 ETH +- 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1 - 10,000 ETH +- 0x1512fcb09463A61862B73ec09B9b354aF1790268 - 10,000 ETH +- 0x723a7084028421994d4a7829108D63aB44658315 - 10,000 ETH +- 0xEB0bAA3A556586192590CAD296b1e48dF62a8549 - 10,000 ETH +- 0x21032176B43d9f7E9410fB37290a78f4fEd6044C - 10,000 ETH +- 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6 - 10,000 ETH +- 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489 - 10,000 ETH +- 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be - 10,000 ETH + +## Indicators + +- 212.30.33.XXX - Feb 21 +- 163.5.241.XXX - Feb 21 +- 194.5.53.XXX - Feb 21 + + diff --git a/malicious-shit/bybit-safe-tx-71.json b/malicious-shit/bybit-safe-tx-71.json new file mode 100644 index 0000000..c7f9353 --- /dev/null +++ b/malicious-shit/bybit-safe-tx-71.json @@ -0,0 +1,122 @@ +{ + "count": 2, + "next": null, + "previous": null, + "results": [ + { + "safe": "0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4", + "to": "0x96221423681A6d52E184D440a8eFCEbB105C7242", + "value": "0", + "data": "0xa9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be29695160000000000000000000000000000000000000000000000000000000000000000", + "operation": 1, + "gasToken": "0x0000000000000000000000000000000000000000", + "safeTxGas": 45746, + "baseGas": 0, + "gasPrice": "0", + "refundReceiver": "0x0000000000000000000000000000000000000000", + "nonce": 71, + "executionDate": "2025-02-21T14:13:35Z", + "submissionDate": "2025-02-21T14:13:35Z", + "modified": "2025-02-21T14:13:35Z", + "blockNumber": 21895238, + "transactionHash": "0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882", + "safeTxHash": "0xb3476d061aeb8fc1d605a873c483a2402d88a68a9cdd1a8b47655dd55ba004f8", + "proposer": null, + "proposedByDelegate": null, + "executor": "0x0fa09C3A328792253f8dee7116848723b72a6d2e", + "isExecuted": true, + "isSuccessful": true, + "ethGasPrice": "10000000000", + "maxFeePerGas": null, + "maxPriorityFeePerGas": null, + "gasUsed": 70224, + "fee": "702240000000000", + "origin": "{}", + "dataDecoded": null, + "confirmationsRequired": 3, + "confirmations": [ + { + "owner": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211", + "submissionDate": "2025-02-21T14:13:35Z", + "transactionHash": null, + "signature": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f", + "signatureType": "ETH_SIGN" + }, + { + "owner": "0x3Cc3A225769900e003E264dd4CB43E90896BC21A", + "submissionDate": "2025-02-21T14:13:35Z", + "transactionHash": null, + "signature": "0x0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221f", + "signatureType": "ETH_SIGN" + }, + { + "owner": "0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E", + "submissionDate": "2025-02-21T14:13:35Z", + "transactionHash": null, + "signature": "0xdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f", + "signatureType": "ETH_SIGN" + } + ], + "trusted": true, + "signatures": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f" + }, + { + "safe": "0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4", + "to": "0x88a1493366D48225fc3cEFbdae9eBb23E323Ade3", + "value": "30000000000000000000000", + "data": null, + "operation": 0, + "gasToken": "0x0000000000000000000000000000000000000000", + "safeTxGas": 45745, + "baseGas": 0, + "gasPrice": "0", + "refundReceiver": "0x0000000000000000000000000000000000000000", + "nonce": 71, + "executionDate": null, + "submissionDate": "2025-02-21T05:42:39Z", + "modified": "2025-02-21T14:11:39.370597Z", + "blockNumber": null, + "transactionHash": null, + "safeTxHash": "0x9d89e67333f99c136537be74029c44592985a4855172f4c2d0d942029868f98e", + "proposer": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211", + "proposedByDelegate": null, + "executor": null, + "isExecuted": false, + "isSuccessful": true, + "ethGasPrice": null, + "maxFeePerGas": null, + "maxPriorityFeePerGas": null, + "gasUsed": null, + "fee": null, + "origin": "{}", + "dataDecoded": null, + "confirmationsRequired": 3, + "confirmations": [ + { + "owner": "0x1F4EB0a903619ac168b19A82F1a6e2e426522211", + "submissionDate": "2025-02-21T05:42:40.788469Z", + "transactionHash": null, + "signature": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f", + "signatureType": "ETH_SIGN" + }, + { + "owner": "0xe3dF2cCEAc61B1aFA311372ecC5B40A3A6585a9E", + "submissionDate": "2025-02-21T13:44:22.889083Z", + "transactionHash": null, + "signature": "0xdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f", + "signatureType": "ETH_SIGN" + }, + { + "owner": "0x3Cc3A225769900e003E264dd4CB43E90896BC21A", + "submissionDate": "2025-02-21T14:11:40.728213Z", + "transactionHash": null, + "signature": "0x0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221f", + "signatureType": "ETH_SIGN" + } + ], + "trusted": true, + "signatures": "0xd0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f" + } + ], + "countUniqueNonce": 72 +}