The topic of security safeties is missing in the recent publications, and discussions on the giant Bybit hack which now leads the Rekt ranking. This attack was extremely sophisticated but Bybit used processes that were the same for a $ 1k, $ 1m, a $ 1b transaction, or a smart contract upgrade with $ 1b in assets. The attack used delegated the Gnosis Safe smart contract to a new one as it is described in their repository #914 issue.
Safeties are control mechanisms with well-defined boundaries that protect against rare or extreme events, whether intentional or accidental. They operate on the principle that while you cannot control every situation, you can define the conditions and boundaries where the system is unequivocally in failure mode. A simple illustration of this is home banking: do you go through the same verification process for a small transaction as you do for transferring a large sum of money? Safeties go beyond critical issues like using blind signatures and cybersecurity procedures, that is the “how this system could be exploited” or “how the system should work”. Safeties instead define “WHAT scenarios need special attention and stop”.
One implementation of a safety that applies to multi-party computation and multi-signature wallet issues in the context of human errors is having at least one of the parties to be a rule-based automatic signer. This is because there is a need for a party signature that verifies the transaction in an in-depth technical view. In the particular case of the Bybit hack all the signers were humans which were attacked on many fronts, including the UI to deceive them. If you add a non-human party that introspects the transaction with many more rules will solve this specific kind of attacks assuming this party is also isolated from the system and stops the process and trigger alarms where events happen.
CoinFabrik has extensive experience integrating human and automated intervention for multisignature wallets across various blockchain technologies. For example, we enhanced BitPay’s multisignature wallets by incorporating an automated co-signer in an m-n Bitcoin multisig wallet. This strengthened security and reduced the risk of unauthorized transactions.
Everybody knows that news explodes with top events like the Bybit hack. Everybody knows that most people don’t read reliable sources and journalists and bots are not generally reliable. I recommend following Hacker News threads like this one and /r/ethereum posts as How Bybit Could Have Prevented This Hack (But Didn’t).
