Extropy Security Bytes: w8 2025

Welcome to this week’s Extropy Security Bytes — your go-to source for the latest in blockchain security. From one of the biggest hacks in crpyto history to a politically charged $LIBRA rug pull, we’ve got all the major exploits covered. We also take a look at Ethereum’s latest Geth update, which validators must install to avoid financial losses. Let’s dive in.

Bybit $1.4 Billion Hack:

Bybit confirmed that its multi-signature cold wallet was breached. The CEO, Ben Zhou, announced that hackers had infiltrated the exchange’s (ETH) multi-signature cold wallet, resulting in the draining of nearly $1.5 billion in crypto. The hack was initially detected by on-chain analyst ZachXBT, who noticed suspicious withdrawals.

Attack Details:

• The attackers masked a transaction to deceive the wallet’s signers.
• The team believed they were approving a legitimate address but unknowingly authorised changes to the smart contract managing Bybit’s ETH cold wallet.
• This allowed the hackers to withdraw all Ether and Ether derivatives from Bybit’s wallet to an unknown address.
• The perpetrators then began swapping the stolen funds for Ethereum tokens on decentralized exchanges.
• The hackers split the stolen assets across multiple addresses to evade tracking.

Technical Explanation:

• The proxy contract called the safe contract, which then called a malicious contract.
• The malicious contract used a delegate call to point the proxy to a new, malicious safe contract with malicious functionality.
• The transaction displayed a transfer function with a seemingly harmless address and amount, but it was actually changing the master copy to a new address.

Wallets and Signatures:

• The Bybit ETH multi-sig cold wallet made a transfer to their warm wallet.
• The transaction was masked, and all signers saw a masked UI that showed the correct address and URL from @safe.
• However, the signing message was to change the smart contract logic of their ETH cold wallet.
• At least three wallets signed the malicious data.

Funds Involved:

• Approximately $1.4 billion in Ether (ETH) and staked Ether (stETH) were stolen.
• 401,346 ETH were removed, far greater than the excess held by Bybit.

Response and Aftermath:

• Bybit assured users that all other cold wallets were secure and that withdrawals were proceeding as normal.
• Bybit stated that the breach was isolated to its Ethereum cold wallet.
• The exchange affirmed it would be able to contend with the loss and that all client assets are 1-to-1 backed.

Attribution:

• ZachXBT traced the theft back to North Korean state-sponsored threat actors, specifically the Lazarus Group.
• Arkham Intelligence also attributed the hack to the Lazarus Group, linking activity to previous attacks.
• The Lazarus Group has been implicated in numerous other industry hacks and exploits.
• They are known for using sophisticated on-chain operations, phishing attacks, and false identities.

$LIBRA — crypto’s biggest political rugpull?

The Incident: The $LIBRA token, promoted by Argentine President Javier Milei, experienced a rapid surge to a $4 billion market cap, followed by a precipitous decline.

Insider Involvement: Blockchain analysts linked the $LIBRA team to previous “rug pull” schemes involving tokens like $MELANIA and $TRUMP, suggesting a pattern of manufactured hype, supply control, and liquidity draining. On-chain data analysis showed that the teams behind the LIBRA and MELANIA tokens were the same. Wallets that purchased LIBRA early on overlapped with those of the MELANIA token and were associated with other “rug pull” projects.

The Rug Pull: Insiders cashed out $87.4 million within three hours of the token’s launch, causing a price collapse. 82% of the token supply was held in a single cluster of wallets, indicating market manipulation. Instead of selling on the open market, insiders extracted funds using one-sided liquidity pools.

Entities Involved:

• KIP Protocol: Julian Peh’s company, which was behind the $LIBRA token. KIP Protocol tried to distance itself from the market making of the LIBRA token, stating that Kelsier Ventures and Hayden Davis were responsible.
• Hayden Davis: Technical advisor who met with President Milei. Davis confirmed he was an advisor to President Milei and stated that recovered funds would be injected back into the Libra trading pair.
• Kelsier Ventures: Market maker for the LIBRA token.
• Meteora: A liquidity provider that was suspected of enabling insiders to cash out.
• Solana’s Role: The incident put Solana’s meme coin ecosystem under scrutiny, with analysts pointing out that it enabled significant value extraction through insider-driven schemes18.

Losses: Many traders suffered significant losses, with some losing millions of dollars. Eight wallets associated with the LIBRA team cashed out approximately $107 million.

Aftermath: Milei deleted his tweet promoting $LIBRA and initiated an anti-corruption investigation.

Bitcoin Lightning Node Bug:

Vulnerability: A significant bug was discovered that allowed for the remote theft of Bitcoin via Lightning Network Daemon (LND) nodes.

Affected Software: The bug impacted node operators running software older than LND Version 0.18.5 or LITD Version 0.14.11.

Mechanism: Clever hackers found a way to manipulate the payment state of Lightning invoices to remotely drain funds. The vulnerability is related to how LND checks description fields for the settlement of Lightning invoices. The bug involves an inability to cancel AMP invoices if they have a settled sub-invoice.

Impact: Affected Lightning nodes could be completely drained by attackers.

The Fix: Newly released node software LND 0.18.5 and LITD 0.14.1 patch this remote threat vector. All major Lightning developers recommended upgrading to the latest version of LND, which fixes the exploit.

Timing: LND 18.5 was released just a week prior to the bug’s discovery, meaning many LND nodes were out of date and vulnerable. The development team at Lightning Labs was aware of the issue three weeks before the fix was released.

Mitigation: Merchants using Lightning Labs’ software might have been unaffected if their LND node did not interact with invoices generated by services like BTCPay. BTCPay Server had recently upgraded its LND node to 0.18.55.

Real-world instances: There were some real-world instances of actual theft of funds, although details were sparse.

Lightning Network Details: The Lightning Network is a mesh network of approximately 5,000 BTC that move faster and cheaper than regular, on-chain BTC2. It routes payments through 44,000 public channels connecting over 16,000 nodes. Lightning users sacrifice the full security and decentralization of BTC for speed, thrift, and extra functions and expose themselves to Lightning-specific bugs that don’t affect the base layer.

Geth Developers Urge Validators to Update to v1.15.2:

Urgent Update Required: Validators operating on Geth v1.15.1 were urged to immediately upgrade to v1.15.2.

Potential Financial Loss: The upgrade was necessary to prevent potential financial losses due to a critical regression identified in the previous version.

Block Creation Failures: The regression in v1.15.1 could cause block creation failures on the Ethereum mainnet. Such failures could lead to missed block production opportunities, resulting in the loss of block rewards and transaction fees for validators.

Severity: The Geth team emphasized the severity of this issue, stating that the regression in v1.15.1 could cause block creation failures, leading to missed slots.

The Fix: The v1.15.2 update was released on February 17, 2025, to solve the block-building problem in the Ethereum mainnet. This update also reinstated the Discv5 and DNS peer discovery protocols that were inadvertently turned off in v1.14.9, which are important for establishing and maintaining active network participation and the overall functioning of Ethereum nodes.

That wraps up this week’s security updates. Whether it’s high-profile rug pulls, protocol vulnerabilities, or critical software updates, staying informed is key to navigating the Web3 space safely. Keep your nodes updated, your wallets secure, and stay vigilant. See you next week for more insights into blockchain security!

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: [email protected]

Get in touch today — let’s build safer smart contracts together!