Bybit-Safe Signing Path Compromise: Custody Trust Boundary Collapse

Incident Overview (Without Journalism)

Primary institutional surface: Mission-Critical DevSecOps.

Capability lines:

Reproducible and signed build pipelines
Policy-as-code enforcement
Immutable rollout and rollback control

Tier A (confirmed): Bybit reported unauthorized activity on February 21, 2025 during a routine transfer from an ETH multisig cold wallet to a warm wallet, and stated that transaction presentation was manipulated while underlying smart-contract logic changed.

Tier A (confirmed): Public statements from Safe ecosystem stakeholders described a targeted attack path involving compromise of a Safe developer machine and a disguised malicious transaction proposal directed at Bybit signing flow.

Tier A (confirmed): The FBI published Alert I-022625-PSA on February 26, 2025, attributing the theft of approximately $1.5B in virtual assets from Bybit to DPRK-linked TraderTraitor activity.

Tier B (inferred): The decisive failure was not private-key extraction from an HSM boundary; it was signer intent desynchronization at the custody transaction-construction layer, where trusted interface and signed payload diverged.

Tier C (unknown): Complete pre-compromise timeline, all persistence nodes inside upstream web infrastructure, and all operator-side endpoint telemetry have not been publicly disclosed.

Bounded assumption statement: analysis assumes official statements are materially correct on attack path and scope; hidden details may change sequencing precision but are unlikely to alter the core architectural lesson about signer-path verifiability.

Failure Surface Mapping

Define S = {C, N, K, I, O}:

C: custody control plane (transaction proposal, policy checks, signer coordination)
N: network delivery path for signing interface artifacts and API calls
K: key lifecycle (cold key custody, signing ceremony constraints)
I: identity boundary between operator intent and rendered transaction semantics
O: operational orchestration (approval workflow, release controls, incident response)

Dominant failed layers and fault class:

I: Byzantine fault, because displayed intent and executable payload diverged.
C: omission plus timing fault, because policy gates did not reject the malformed transition before quorum completion.
O: omission fault, because deployment integrity controls for signer-facing artifacts did not prevent targeted tampering.

Tier A (confirmed): incident triggered during a legitimate operational transfer path. Tier B (inferred): trust boundary collapse occurred at interface-to-payload translation, not at cryptographic signature primitive integrity.

Formal Failure Modeling

Let custody state at time t be:

S_t = (Q_t, M_t, P_t, V_t, L_t)

Where:

Q_t: quorum signer set and threshold state
M_t: message bytes presented for approval
P_t: policy context (destination constraints, method allowlist, value limits)
V_t: independent verification outputs
L_t: live risk level and kill-switch state

Transition:

T(S_t): \text{approve} \iff \big(\text{sig}(M_t, Q_t) = 1\big) \land \big(V_t = 1\big) \land \big(P_t = 1\big)

Required invariant:

I:\; \text{Semantics}(M_t) = \text{HumanIntent}_t \land V_t=1 \land P_t=1

Violation condition:

\text{sig}(M_t, Q_t)=1 \land \text{Semantics}(M_t) \ne \text{HumanIntent}_t \Rightarrow I=0

Decision implication: multisig threshold alone is insufficient; admissibility requires semantic equivalence checks independent from the primary UI rendering path.

Adversarial Exploitation Model

Attacker classes:

A_passive: observes signer workflow and timing windows
A_active: injects transaction-manipulation logic in the proposal/rendering path
A_internal: abuses deployment privileges inside wallet interface infrastructure
A_supply_chain: compromises developer workstation and release credentials
A_economic: monetizes rapid laundering through fragmented cross-chain exit routes

Pressure model variables:

detection latency Δt
trust boundary width W (count of mutable components between intent and signed payload)
privilege scope P_s (effective authority of compromised account)

Risk pressure function:

\Pi = \alpha \cdot \Delta t + \beta \cdot W + \gamma \cdot P_s

Tier B (inferred): attack success requires maximizing W and P_s while keeping Δt below incident response activation threshold.

Operational decision tie: custody architecture should minimize W through deterministic signing clients and immutable, attestable artifact chains.

Root Architectural Fragility

The structural fragility is trust compression: institutional custody treated UI-rendered transaction meaning and canonical calldata as equivalent under normal conditions. This couples human authorization to a mutable software surface. The event also exposes CI/CD privilege leakage risk in signer-adjacent services; compromise of a single upstream developer context can expand into transaction approval influence. Rollback weakness appears when no hard fail-safe blocks custody flows on verification drift. The central fragility is therefore not ECDSA/threshold cryptography failure; it is governance failure in the control path that maps intent to bytes.

Code-Level Reconstruction

# Production guard: signer path must verify canonical transaction bytes
# from an independent decoder before quorum signature is accepted.

def approve_cold_transfer(tx_payload, ui_summary, signer_set, policy, verifier):
    canonical = verifier.decode(tx_payload)  # independent parser, separate trust domain

    if canonical.destination not in policy.allowed_destinations:
        raise Reject("destination_not_allowed")
    if canonical.method not in policy.allowed_methods:
        raise Reject("method_not_allowed")
    if canonical.value_wei > policy.max_value_wei:
        raise Reject("value_limit_exceeded")

    # critical invariant: rendered intent must match canonical decoded semantics
    if canonical.summary_hash() != ui_summary.summary_hash():
        policy.raise_kill_switch("intent_payload_mismatch")
        raise Reject("semantic_mismatch")

    for signer in signer_set.required_quorum():
        signer.sign(canonical.hash())

    return "approved"

Failure reconstruction: if ui_summary is trusted without independent canonical decode and hash-match, a malicious proposal can satisfy quorum while violating transfer intent.

Operational Impact Analysis

Tier A (confirmed): asset loss scale was reported at approximately $1.5B.

Tier B (inferred): blast radius is bounded by custody topology and emergency controls, but market-level confidence shock propagates beyond directly impacted wallets.

For distributed custody operations, define:

B = \frac{\text{affected\_nodes}}{\text{total\_nodes}}

If a single custody lane is compromised in an n-lane segregated architecture, B \approx 1/n; if lanes share signer-path dependencies, effective B approaches 1 under coordinated exploitation.

Decision implication: segregation must be dependency-segregated, not only key-segregated.

Enterprise Translation Layer

CTO: custody transaction construction and signing must be treated as critical production software with deterministic build, attestation, and drift detection, not as wallet UI tooling.

CISO: threat model must prioritize signer-intent spoofing and supply-chain entry into transaction proposal systems; controls need independent transaction semantic verification and just-in-time credential containment.

DevSecOps: signer-facing artifacts require signed provenance, two-party release authorization, immutable deployment logs, and policy-as-code gates that block unverified frontend/resource mutation.

Board: solvency claims do not substitute for control maturity; institutional risk exposure is determined by custody governance architecture and measurable detection latency.

STIGNING Hardening Model

Control prescriptions:

Isolate custody control plane from internet-facing mutable build surfaces.
Segment key lifecycle by transaction class, value envelope, and time-locked approval domains.
Enforce quorum hardening with out-of-band byte-level transaction verification.
Reinforce observability with signed event trails for proposal creation, rendering artifact hash, signer decision, and broadcast.
Apply rate-limiting envelopes to high-value transfer paths and activate deterministic pause policies on semantic mismatch.
Require migration-safe rollback: custody approval systems must only roll forward to attested artifacts; rollback must preserve reproducible provenance.

ASCII structural model:

[Policy Engine]----attested rules---->[Tx Constructor]
      |                                   |
      |                          canonical bytes + hash
      v                                   v
[Independent Decoder] <---compare---> [Signer UI Renderer]
      |                                   |
      +------ mismatch => kill switch ----+
                      |
                 [Quorum Signers]
                      |
                 [Broadcast Gate]

Strategic Implication

Primary classification: governance failure.

Five-to-ten-year implication: institutional digital-asset custody will converge toward verifier-centric authorization where human approval is cryptographically bound to independently decoded transaction semantics. Competitive separation will be defined by measurable signer-path integrity, formal policy admissibility proofs, and low-latency containment under supply-chain compromise.

References

Bybit Announcement, Incident Update: Unauthorized Activity Involving ETH Cold Wallet (Feb 21, 2025): https://announcements.bybit.com/en/article/incident-update-unauthorized-activity-involving-eth-cold-wallet-blt292c0454d26e9140/
Bybit official update via PRNewswire, forensic investigation summary (Feb 26, 2025): https://www.prnewswire.com/news-releases/bybit-confirms-security-integrity-amid-safe-wallet-incident--no-compromise-in-infrastructure-302386274.html
Safe Ecosystem Foundation statement and Safe Wallet team preliminary findings (Feb 28, 2025): https://safefoundation.org/blog/safe-ecosystem-foundation-statement
FBI Cyber PSA I-022625-PSA (Feb 26, 2025): https://www.fbi.gov/investigate/cyber/alerts/2025/north-korea-responsible-for-1-5-billion-bybit-hack

Conclusion

The incident demonstrates that custody compromise can emerge from transaction-construction governance, even when signing primitives remain intact. Institutional resilience depends on shrinking trust boundary width, enforcing semantic equivalence invariants before quorum completion, and operating deterministic containment controls for signer-path anomalies.

STIGNING Infrastructure Risk Commentary Series
Engineering Under Adversarial Conditions