Bye, Bit!!!!
Why is it always 0 or 1
This Friday our always entertaining crypto world, came with a surprise for the weekend. The major hack of the crypto industry until to date. The thing about this hack is the general framework over how it was executed is close to a phishing method used to drain accounts like yours or mine but with many more digits. So we can have many discussions around this incident. How to prevent it? Gnosis Safe Wallet was safe? How does the Lazarus group manage to obtain and change the UI and IP address? Why does an exchange the size of ByBit doesn’t use Multi-party Computation?
That’s what I love about crypto every question comes with another 2-3 new. For this subs, I want to try to simplify the way the attack was performed, the benefits of an MPC security architecture and make a reflection. MPC is not cheap, and with AI performance it will become even more secure and efficient but also more expensive. Don’t know if after this attack security regulation standards will change, but most likely they will, and most likely they will require distributed systems architecture enhanced by AI. By all that means significantly more expensive.
The explanation:
Imagine you have a fancy safe at home that requires three different people to open it. Maybe your spouse, your best friend, and your extremely judgmental mother-in-law. Pretty secure, right? Well, imagine if someone could convince all three of them that they're signing off on storing your child's macaroni art when in reality, they're authorizing the safe to be emptied into a stranger's van. That's essentially what happened to Bybit last week, but instead of macaroni art, we're talking about a smart contract capable of extracting $1.4 billion in cryptocurrency. Literally, they changed a sequence from 0 to 1 in the security UI, to grant access to a malicious contract enabling it to operate and execute transactions upfront the real contract.
Here's how it went down: Bybit, one of the world's largest cryptocurrency exchanges, had what they thought was an ultra-secure digital vault. This vault required multiple people to approve any transaction. Like having multiple keys to launch a nuclear missile, except instead of preventing World War III, they were protecting digital money. This service was provided by Gnosis Safe Wallet.
But here's where it gets interesting and by interesting, I mean catastrophically expensive. The hackers, likely North Korea's infamous Lazarus Group (yes, that's their real name, and no, they don't sell furniture), found a way to make the transaction look completely normal to everyone signing off on it. It's like showing someone a contract in English, but when they sign it, it magically transforms into a contract written in Ancient Sumerian that says "Please give all my money to this nice Nigerian prince."
This is where something called MPC Multi-Party Computation comes in. Think of it as the cryptocurrency equivalent of Ocean's Eleven, but for keeping money safe instead of stealing it. Instead of having one key that could be stolen, or multiple people looking at the same potentially compromised screen, MPC splits the responsibility across different systems, locations, and technologies.
Imagine if instead of having three people look at the same piece of paper to sign it, each person had their own piece of a puzzle, and they all had to put their pieces together in different ways to make any transaction happen. Even if someone tricks one person, they'd still need to fool multiple other systems in completely different ways.
The crypto world is no stranger to spectacular heists. Here are some of the greatest hits:
Mt. Gox lost $460 million in 2014 (back when that was considered a lot of money in crypto)
In 2021, Facebook managed to leak half a billion users' data and Mark tried to forget about it.
And now Bybit joins the billion-dollar loss club
The Current State of Crypto Security
The crypto landscape today is like the Wild West if the Wild West had computers and significantly fewer cowboys. We're seeing:
Exchanges still using outdated security measures
Users still clicking on suspicious links promising free crypto, we are victims of our own grid.
Mymetic systems use AI to emulate other exchanges or wallets to trick users.
The truth is, while cryptocurrency technology itself is incredibly secure, the ways we interact with it are still vulnerable to human error and clever manipulation. It's like having the world's strongest safe but keeping the combination written on a Post-it note stuck to the front (we have all done that).
Looking Forward
The Bybit hack is a wake-up call for the entire industry. We need better security systems, like MPC, that don't just rely on multiple people checking the same potentially compromised screen. We need systems that are both secure and idiot-proof because let's face it, we're all idiots sometimes, especially when someone convinces us we're looking at a perfectly normal transaction that's draining our life savings. It happened to my dad some years ago, and sadly that’s the feeling. You feel like an idiot.
Remember: in the world of cryptocurrency, if something looks too good to be true, it probably is. And if someone asks you to approve a transaction, maybe check it on more than one screen, or better yet, check your service providers and look at what kind of security systems they use. Because while $1.4 billion might be just a number on a screen, it's a pretty big number to lose because someone changed a zero to a one.
And that's what happened last week in crypto. Now back to you, whoever you are, probably checking your crypto wallet with slightly more paranoia than before. Security systems and education should be more accessible to prevent this.