Add content from: Research Update: Enhanced src/blockchain/blockchain-and-cryp...

Author: HackTricks News Bot

src/blockchain/blockchain-and-crypto-currencies/web3-signing-workflow-compromise-safe-delegatecall-proxy-takeover.md

@@ -37,6 +37,11 @@ if (isVictimSafe && isVictimSigner && tx.data.operation === 0) {
 ### Gateway validation relevance
 Safe proposals are submitted to the **Safe Client Gateway**. Prior to hardened checks, the gateway could accept a proposal where `safeTxHash`/signature corresponded to different fields than the JSON body if the UI rewrote them post-signing. After the incident, the gateway now rejects proposals whose hash/signature do not match the submitted transaction. Similar server-side hash verification should be enforced on any signing-orchestration API.
 
+### 2025 Bybit/Safe incident highlights
+- The February 21, 2025 Bybit cold-wallet drain (~401k ETH) reused the same pattern: a compromised Safe S3 bundle only triggered for Bybit signers and swapped `operation=0` → `1`, pointing `to` at a pre-deployed attacker contract that writes slot 0.
+- Wayback-cached `_app-52c9031bfa03da47.js` shows the logic keyed on Bybit’s Safe (`0x1db9…cf4`) and signer addresses, then immediately rolled back to a clean bundle two minutes after execution, mirroring the “mutate → sign → restore” trick.
+- The malicious contract (e.g., `0x9622…c7242`) contained simple functions `sweepETH/sweepERC20` plus a `transfer(address,uint256)` that writes the implementation slot. Execution of `execTransaction(..., operation=1, to=contract, data=transfer(newImpl,0))` shifted the proxy implementation and granted full control.
+
 ## On-chain: Delegatecall proxy takeover via slot collision
 
 Safe proxies keep `masterCopy` at **storage slot 0** and delegate all logic to it. Because Safe supports **`operation = 1` (delegatecall)**, any signed transaction can point to an arbitrary contract and execute its code in the proxy’s storage context.
@@ -57,6 +62,9 @@ Execution path:
 3. Proxy delegatecalls into `attackerContract`; the `transfer` body writes slot 0.
 4. Slot 0 (`masterCopy`) now points to attacker-controlled logic → **full wallet takeover and fund drain**.
 
+### Guard & version notes (post-incident hardening)
+- Safes >= v1.3.0 can install a **Guard** to veto `delegatecall` or enforce ACLs on `to`/selectors; Bybit ran v1.1.1, so no Guard hook existed. Upgrading contracts (and re-adding owners) is required to gain this control plane.
+
 ## Detection & hardening checklist
 
 - **UI integrity**: pin JS assets / SRI; monitor bundle diffs; treat signing UI as part of the trust boundary.
@@ -68,6 +76,8 @@ Execution path:
 
 ## References
 
+- [AnChain.AI forensic breakdown of the Bybit Safe exploit](https://www.anchain.ai/blog/bybit)
+- [Zero Hour Technology analysis of the Safe bundle compromise](https://www.panewslab.com/en/articles/7r34t0qk9a15)
 - [In-depth technical analysis of the Bybit hack (NCC Group)](https://www.nccgroup.com/research-blog/in-depth-technical-analysis-of-the-bybit-hack/)
 - [EIP-712](https://eips.ethereum.org/EIPS/eip-712)
 - [safe-client-gateway (GitHub)](https://github.com/safe-global/safe-client-gateway)