The team at Blockaid noted that on February 21, 2025, Bybit fell victim to one of the largest crypto heists in history, losing “approximately $1.5 billion” worth of Ethereum (ETH) tokens.
Blockaid pointed out that this incident wasn’t just another hack—it was a stark reminder of “the vulnerabilities associated with cold multisig wallets and the risks of blind signing.”
The analysis from Blockaid also mentioned that the “exploit mirrored previous attacks on platforms like WazirX and Radiant Capital, showcasing a repeating pattern in the crypto space.”
According to insights from Blockaid, here’s the kicker: this could have been prevented.
The Bybit hack was not a simple breach; it was “a meticulously planned exploitation of blind signing within a cold multisig wallet system.”
As noted in a blog post, Bybit utilized a multisig cold wallet for storing Ethereum assets.
As explained in the analysis, in a multisig setup, multiple private keys are required “to authorize a transaction, enhancing security by distributing approval authority across several parties.”
Cold wallets, being offline, are presumed “to offer an additional layer of protection against online threats.”
However, this incident demonstrated “that cold storage alone is not foolproof.”
On February 21, 2025, during a routine transfer “from Bybit’s multisig cold wallet to a warm (semi-online) wallet,” attackers executed a sophisticated exploit:
- Deployment of Malicious Contract: The attackers introduced a malicious implementation contract that intercepted the transaction process.
- Interface Manipulation: Having compromised the computers used by Bybit employees, the attackers were able to manipulate the signing interface presented to the wallet signers. The interface displayed legitimate transaction details, including the correct destination address and URL, deceiving the signers into believing they were authorizing a routine transfer.
- Blind Signing Exploitation: Due to the rogue interface, signers authorized the transaction without detecting the underlying malicious code. This practice, known as blind signing, occurs when signers approve transactions without fully verifying their content.
The brilliance of this exploit lay in its subtlety: the attackers “didn’t need to steal private keys—they simply deceived authorized signers into approving the fraudulent transaction.”
Once the transaction received the necessary approvals, “the malicious contract altered the smart contract logic, redirecting the funds to an address controlled by the attackers.”
In total, approximately “401,347 ETH were siphoned off, amounting to an estimated $1.4 billion.”
The Blockaid team also noted that this incident “bears resemblance to prior attacks on platforms like WazirX and Radiant Capital, where blind signing vulnerabilities were similarly exploited.”
- WazirX Incident: Attackers manipulated the transaction interface, causing operators to authorize malicious transactions unknowingly.
- Radiant Capital Breach: Malware altered transaction data, leading signers to approve unauthorized transfers.
In both cases, as with Bybit, the “exploitation of blind signing allowed attackers to bypass security measures, emphasizing the critical need for enhanced verification processes in transaction authorizations.”
The uncomfortable truth is that “using a multisig wallet is not enough to defend against nation state attackers.”
As Bybit and Radiant learned the hard way, multisigs have a fundamental flaw: they rely “on trust that signers will always verify transactions accurately.”
In reality, blind signing exploits this trust, “making it dangerously easy for attackers to bypass even the most robust multisig setups.”
The Radiant hack is a perfect example:
- Radiant relied on an 11-signer multisig wallet but required only 3 signatures for execution.
- Attackers compromised 3 signers and transferred ownership of the lending pools to malicious contracts.
- Despite a seemingly secure multisig configuration, the absence of intelligent transaction validation allowed the attack to succeed.
The Core Issue: The Gap Between Signing Interface and Actual Signing
Blind signing attacks “exploit a fundamental gap in the multisig process: the disconnect between the signing interface and the actual signing action.”
The crux of the problem is that signers are “not verifying what they are signing—they are merely verifying that they are signing.”
They think they know “what they are signing – but since the interface they see can be compromised, they can’t know for sure.”
This gap is precisely what the attackers “exploited in Bybit and Radiant hacks.”
As noted in the analysis, they manipulated the visible transaction details “while the underlying malicious logic went unnoticed.”
This is why multisig wallets, on their own, “are not enough against sophisticated attacks.”
Blockaid claims that it addresses this fundamental flaw “by bringing security directly into the signing process.”
Instead of relying on verifying the transaction on the user’s side, where it can be manipulated, they “move the validation login onto the signing environment – by adding Blockaid as a transaction co-signer – instead of just adding more compromisable individuals into the process, Blockaid can act as an intelligent guardian that actively participates in the signing process.”
- Active Participation in Authorization: Blockaid acts as an intelligent co-signer in your Gnosis Safe or multisig wallet, adding an extra layer of verification. It doesn’t just check for signatures; it checks the transaction itself, validating every detail before granting approval.
- Dynamic Decision Making: The Co-signer doesn’t blindly approve a transaction based on consensus alone. It assesses the transaction’s impact on the wallet’s state, ensuring that no malicious changes can occur behind the scenes.
- Automated Threat Prevention: If Blockaid’s Co-signer detects a suspicious request, the transaction is automatically rejected—even if all required multisig approvals are present. This stops blind signing attacks in their tracks.
Blockaid’s Co-Signer reportedly solves the fundamental problem “that allowed the Bybit hack to occur: the disconnect between the signing interface and the actual transaction logic.”
By validating not just the signatures but also the transaction’s outcome, Blockaid ensures that “signers are authorizing exactly what they see—nothing more, nothing less.”
This approach closes the blind signing loophole and provides “a level of security that traditional multisig wallets simply cannot match.”
The Bybit incident is a “wake-up call for the entire Web3 ecosystem.”
It exposed a critical flaw in multisig wallet security and “highlighted the urgent need for robust transaction integrity validation.”
Relying on traditional multisig security “isn’t enough.”
As attack vectors become more sophisticated, “proactive security measures are essential.”
Blockaid’s range of solutions for blind signing – from Transaction Verification to Co-Signer – provide “the multi-layered security infrastructure needed to prevent these types of attacks.”
By ensuring end-to-end transaction integrity and offering real-time threat detection and response, Blockaid empowers organizations “to stay one step ahead of any type of threat – onchain, and offchain.”