Bybit preliminary hack forensic reports: what about exploiter private key?

Cryptocurrency News and Public Mining Pools

Bybit preliminary hack forensic reports: what about exploiter private key?

I read the forensic reports describing how hackers injected SafeUI javascript code targeted for Bybit transactions, and it sounds all clear, but I am left with a technical doubt.

How is it possible that Bybit infrastructure wasn't also breached, if overall transaction was signed and sent from an EOA address owned by the exploiter?

https://etherscan.io/getRawTx?tx=0x46deef0f52e3a983b67abf4714448a41dd7ffd6d32d32da69d62081c68ad7882

0xf9032b2a8502540be40083030d40941db92e2eebc8e0c075a02bea49a2935bcd2dfcf480b902c46a76120200000000000000000000000096221423681a6d52e184d440a8efcebb105c7242000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000b2b2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000000000000000000000000000000000000000000000000000000000000044a9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025be296951600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c3d0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114baba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569673c1f000000000000000000000000000000000000000000000000000000000025a0c06f155e9045c02891297148228ed69cc7167a6f8606f66a942ef75624c5906da03e9f83eae889e79e3af315c7e9a5e14b12f2bed9e23d994f751562ec7a4426b3

In bold the exploiter from address that also signs the transaction (signature is at the end I think, but I wasn't able to find some document stating this, so I could be wrong. In any case I feel pretty sure that from address signs the transaction 🙂 ).

The transaction is containing a call to execute method of Safe multisig contract, signed by Bybit signers thanks to the web2 hack, but if the breach was only in the SafeUI website, how was the overall transaction signed? Was private key of 0x0f9032b2a address deployed with the javascript togheter with malicious code? Or was there an automatic connection performed for sending the Safe execute() signed command to an hacker machine that then signed the transaction with a local key and broadcasted it?

submitted by /u/moqorroth
[link] [comments]