Logo

How to Prevent the Next $1.5B Bybit Hack: A Strategic Approach to Solving Blind Signing

Blog Post
How to Prevent the Next Bybit $1.5B hack: A Strategic Approach to Solving Blind Signing

On February 21, 2025, Bybit fell victim to one of the largest crypto heists in history, losing approximately $1.5 billion in Ethereum.

This incident wasn’t just another hack—it was a stark reminder of the vulnerabilities associated with cold multisig wallets and the risks of blind signing. The exploit mirrored previous attacks on platforms like WazirX and Radiant Capital, showcasing a repeating pattern in the crypto space.

But here’s the kicker: this could have been prevented.

Understanding the Attack: The Mechanics Behind the Bybit Breach

The Bybit hack was not a simple breach; it was a meticulously planned exploitation of blind signing within a cold multisig wallet system. Let’s break down how it happened and why it was so effective.

1. The Setup: Multisig Wallets and Cold Storage

Bybit utilized a multisig cold wallet for storing Ethereum assets. In a multisig setup, multiple private keys are required to authorize a transaction, enhancing security by distributing approval authority across several parties. Cold wallets, being offline, are presumed to offer an additional layer of protection against online threats. However, this incident demonstrated that cold storage alone is not foolproof.

2. The Exploit: Manipulating the Signing Interface

On February 21, 2025, during a routine transfer from Bybit's multisig cold wallet to a warm (semi-online) wallet, attackers executed a sophisticated exploit:

  • Deployment of Malicious Contract: The attackers introduced a malicious implementation contract that intercepted the transaction process.
  • Interface Manipulation: Having compromised the computers used by Bybit employees, the attackers were able to manipulate the signing interface presented to the wallet signers. The interface displayed legitimate transaction details, including the correct destination address and URL, deceiving the signers into believing they were authorizing a routine transfer.
  • Blind Signing Exploitation: Due to the rogue interface, signers authorized the transaction without detecting the underlying malicious code. This practice, known as blind signing, occurs when signers approve transactions without fully verifying their content.

The brilliance of this exploit lay in its subtlety: the attackers didn’t need to steal private keys—they simply deceived authorized signers into approving the fraudulent transaction.

3. The Outcome: Unauthorized Transfer of Funds

Once the transaction received the necessary approvals, the malicious contract altered the smart contract logic, redirecting the funds to an address controlled by the attackers. In total, approximately 401,347 ETH were siphoned off, amounting to an estimated $1.4 billion.

This is Starting to Look Familiar: A Replay of Previous Exploits

This incident bears resemblance to prior attacks on platforms like WazirX and Radiant Capital, where blind signing vulnerabilities were similarly exploited:

  • WazirX Incident: Attackers manipulated the transaction interface, causing operators to authorize malicious transactions unknowingly.
  • Radiant Capital Breach: Malware altered transaction data, leading signers to approve unauthorized transfers.

In both cases, as with Bybit, the exploitation of blind signing allowed attackers to bypass security measures, emphasizing the critical need for enhanced verification processes in transaction authorizations.

The uncomfortable truth is that using a multisig wallet is not enough to defend against nation state attackers. As Bybit and Radiant learned the hard way, multisigs have a fundamental flaw: they rely on trust that signers will always verify transactions accurately.

In reality, blind signing exploits this trust, making it dangerously easy for attackers to bypass even the most robust multisig setups.

The Radiant hack is a perfect example:

  • Radiant relied on an 11-signer multisig wallet but required only 3 signatures for execution.
  • Attackers compromised 3 signers and transferred ownership of the lending pools to malicious contracts.
  • Despite a seemingly secure multisig configuration, the absence of intelligent transaction validation allowed the attack to succeed.

The Core Issue: The Gap Between Signing Interface and Actual Signing

Blind signing attacks exploit a fundamental gap in the multisig process: the disconnect between the signing interface and the actual signing action. The crux of the problem is that signers are not verifying what they are signing—they are merely verifying that they are signing. 

They think they know what they are signing - but since the interface they see can be compromised, they can’t know for sure.

This gap is precisely what the attackers exploited in Bybit and Radiant hacks. They manipulated the visible transaction details while the underlying malicious logic went unnoticed. This is why multisig wallets, on their own, are not enough against sophisticated attacks.

How Blockaid Solves This: Security Inside the Signing Process

Blockaid addresses this fundamental flaw by bringing security directly into the signing process.

image (21).png

Instead of relying on verifying the transaction on the user’s side, where it can be manipulated, we move the validation login onto the signing environment - by adding Blockaid as a transaction co-signer - instead of just adding more compromisable individuals into the process, Blockaid can act as an intelligent guardian that actively participates in the signing process.

  • Active Participation in Authorization: Blockaid acts as an intelligent co-signer in your Gnosis Safe or multisig wallet, adding an extra layer of verification. It doesn’t just check for signatures; it checks the transaction itself, validating every detail before granting approval.
  • Dynamic Decision Making: The Co-signer doesn’t blindly approve a transaction based on consensus alone. It assesses the transaction’s impact on the wallet’s state, ensuring that no malicious changes can occur behind the scenes.
  • Automated Threat Prevention: If Blockaid’s Co-signer detects a suspicious request, the transaction is automatically rejected—even if all required multisig approvals are present. This stops blind signing attacks in their tracks.

Why This Matters: The Future of Secure Transactions

Blockaid’s Co-Signer solves the fundamental problem that allowed the Bybit hack to occur: the disconnect between the signing interface and the actual transaction logic. By validating not just the signatures but also the transaction’s outcome, Blockaid ensures that signers are authorizing exactly what they see—nothing more, nothing less.

This approach closes the blind signing loophole and provides a level of security that traditional multisig wallets simply cannot match.

Conclusion: Don’t Let History Repeat Itself

The Bybit incident is a wake-up call for the entire Web3 ecosystem. It exposed a critical flaw in multisig wallet security and highlighted the urgent need for robust transaction integrity validation. Relying on traditional multisig security isn’t enough. As attack vectors become more sophisticated, proactive security measures are essential.

Blockaid’s range of solutions for blind signing - from Transaction Verification to Co-Signer - provide the multi-layered security infrastructure needed to prevent these types of attacks.

By ensuring end-to-end transaction integrity and offering real-time threat detection and response, Blockaid empowers organizations to stay one step ahead of any type of threat - onchain, and offchain.

Next Steps: Secure Your Digital Assets with Blockaid

Don’t wait for the next incident. Request a Demo today to learn how Blockaid can fortify your organization’s security posture and prevent the next big exploit.