On February 21, 2025, the cryptocurrency exchange Bybit suffered a hacker attack, resulting in the theft of approximately $1.5 billion in assets. This incident not only set a new record for cryptocurrency theft, but also shocked the entire industry: this attack bypassed the multi-signature security mechanism that is considered the industry standard.
Subsequent analysis showed that hackers broke into the Safe developer device and modified the front-end JavaScript code on the Safe{Wallet} server. When the Bybit multi-signature holder logged in, the interface showed a normal transaction, but the actual content signed was completely different, resulting in the theft of funds.
This incident has raised some questions: Are multi-signature wallets really the problem, or is there something wrong with the way we use them?
Security Blind Spots: Invisible Single Points of Failure
After the Bybit incident, a question surfaced: Is Safe really safe?
It must be admitted that the Safe contract itself is safe. It is completely open source and has been audited by many security companies. No major contract vulnerabilities have occurred in its historical operation. But security is not just a matter of contract code.
In fact, security risks involve a long chain of trust. When using the Safe wallet, the signer relies on many links: signing device, operating system, browser, wallet plug-in, Safe UI, RPC node, blockchain browser, hardware wallet and its software. This chain is too long, and hackers often only need to break one link to get huge benefits.
In the Bybit incident, the attacker chose a seemingly insignificant link: the web front end. The hacker attacked the Safe{Wallet} server and replaced the JavaScript. The user thought he was signing a normal transaction, but in fact he was signing a malicious upgrade (changing CALL to DELEGATE_CALL).
Further analysis revealed that the root cause of this type of security vulnerability lies in the intersection of the trust chain. Multi-signature wallets are supposed to create a secure chain verified by multiple people, with each link being checked by an independent individual. Ideally, each signer should use independent tools and methods to verify transactions. But in reality, signers often share the same web interface, the same set of RPC nodes, the same type of hardware wallets, and similar verification processes.
This highlights a key security vulnerability: when all signers rely on the same web interface, an attacker only needs to control this shared single point to deceive all signers at the same time. It is worth noting that this is not a problem unique to Safe, but a common but often overlooked blind spot in multi-signature practice.
These shared points are weak points in the security chain. A hacker only needs to break into one intersection to affect everyone at the same time.
This profound lesson tells us that security is not a tool, but a set of systematic practices. Having top-notch multi-signature tools is not enough to ensure security, the key is how to use them to build a complete security process.
This realization is particularly urgent for institutions and exchanges. Data from 2024 shows that crypto theft losses increased by 67% to $494 million, but the number of victim addresses increased by only 3.7%. Attackers have clearly turned to precision sniping high-value targets, with the largest single theft amount reaching $55.48 million. When your asset size reaches institutional level, you become the first choice for hackers to pursue, and any security compromise may bring disaster.
Bybit’s loss is the most profound lesson, and it has sounded the alarm for the entire industry: true multi-signature security requires multiple independent verification paths, not just multiple signatories. If everyone relies on the same information source, no matter how many signatories there are, they cannot provide true security.
In other words, Safe itself can be very safe, but only if you use it in the right way and understand every link in the entire security chain. This is especially important for high net worth users.
MPC + Safe: A more powerful safety combination?
If the $1.5 billion Bybit hack taught us anything, it’s that we should rethink the nature of security: the security of a multi-signature wallet does not lie in the number of signatories, but in the independence of the verification paths.
When everyone looks at the same web interface, it creates a perfect single point of failure. A hacker only needs to break this point to deceive everyone. This is the truth of the Bybit incident.
So, how can we strengthen the independence of verification paths while maintaining the advantages of decentralized multi-signature permissions?
The combination of MPC and Safe may be the answer. This combination not only inherits the advantages of both, but may also create a new security paradigm and fundamentally solve the shared trust point problem in current multi-signature practices.
Cobo Portals MPC+Safe combined security design is based on two core principles:
Decoupling the verification link
In traditional multi-signature schemes, all signers share the same interface, RPC node, and parsing logic, forming a dangerous centralized trust point. A safer solution should break this pattern and establish a separate verification system:
Separate signing infrastructure (such as MPC or HSM)
Self-maintained RPC node network (not dependent on nodes provided by Safe)
A service layer that independently parses transaction content (ensuring that each signer sees the real transaction content)
Dedicated approval interface, completely isolated from the main Web UI
The Safe{Wallet} Co-signature solution launched by Cobo is developed based on this concept. It can serve as a signer in the Safe multi-signature wallet, but is completely independent of other signers.
How it works is: Cobo Portal pulls the transactions to be signed from the Safe service, reviews them through an independent risk control system, then completes the signature using an MPC wallet or a fully managed HSM wallet, and pushes the signature result back to the system.
Taking the Bybit incident as an example, even if hackers hijacked the Safe interface, the Cobo independent verification system can still display the real transaction content and risk warnings.
Principle of least privilege
As a security product of Cobo, the Cobo Safe permission separation module implements a simple but powerful concept: cold wallets never require full permissions.
Taking exchanges as an example, the main job of cold wallets is to transfer funds to hot wallets. However, every time the hot wallet needs funds, the administrator must use the full control of the cold wallet to transfer funds, which increases unnecessary risk exposure.
The Cobo Safe solution is very straightforward, allowing the creation of a special restricted operator role, which has only one permission: to transfer specific whitelisted currencies to a pre-set hot wallet address. Daily operations only need to be operated through this low-privilege address, and the main Safe does not need to be used frequently. Users can also configure the blacklist and whitelist of Safes themselves, including restrictions on the target contracts that can be called, to further strengthen permission control.
This means that even if the hacker has full control over the operator account, the only thing they can do is transfer funds to the exchange’s own hot wallet - they have no authority to modify wallet settings, no authority to transfer funds to other addresses, and no authority to use non-whitelisted currencies.
If Cobo Portal was used, would the $1.5 billion theft still have happened?
Once you understand how an attacker acts, you can design an effective defense. Let’s simulate the attacker’s action path and see how Cobo Portal’s protection will work in the Bybit attack scenario.
Scene Replay
Attack step 1: Malicious JavaScript code is injected into the Safe front end
Under the Safe multi-signature scheme: all signers use the same attacked interface and see disguised transaction content;
Under the Cobo Safe{Wallet} co-signing scheme: Although the Safe interface was attacked, Cobos independent approval app was not affected and displayed the real transaction content.
Attack Step 2: Disguise the Transaction Request Signature
Under the Safe multi-signature scheme: the signer sees transfer to hot wallet, but is actually authorizing an upgrade;
Under the Cobo Safe{Wallet} co-signing scheme: the independent verification link resolves that the real transaction is a Delegate Call operation, and a risk warning is displayed on the App.
Attack Step 3: Collect signatures and execute the attack
Under the Safe multi-signature scheme: After collecting enough signatures, the control of the contract is obtained by the attacker;
Under the Cobo Safe{Wallet} co-signing scheme: display the real transaction content and risk warnings to allow signers to identify attack behaviors.
Attack Step 4: Bypassing the Multi-Sig Defense
Under the Safe multi-signature scheme: After the attacker gains control of the contract, he can transfer all assets;
Use with Cobo Safe solution: Even if all previous defenses are breached, Cobo Safes permission separation ensures that attackers can only perform pre-authorized operations (such as transferring funds to whitelisted hot wallets).
Under the independent verification protection of Cobo Portal, Bybits attackers will be intercepted at multiple stages. It is worth emphasizing that although Cobo Safe{Wallet} and Cobo Safe are two independent products, using them together will provide a higher level of security. If the independent verification line of defense is breached, the authority separation system can still effectively limit the scope of possible losses. Through this in-depth defense strategy, the loss of $1.5 billion in assets can be completely avoided.
Safety is like insurance. People always realize its importance only after a disaster occurs.
Unfortunately, the industry has paid an astronomical price for this, but it also provides an opportunity for us to rethink cryptographic security, that is, security is an asymmetric game. Attackers only need to find one vulnerability, but defenders have to defend them all. When billions of dollars are at stake, top hackers and even nation-state attackers with unlimited resources will spend months or even years studying your system, looking for that single weakness.
This is exactly why Cobo developed the Safe{Wallet} co-signing solution. We want to solve a core problem: how to eliminate single points of failure? The answer is to reconstruct the entire verification process and implement multiple security guarantees. For institutions that manage large amounts of assets, security has never been the opposite of efficiency, but a prerequisite. Without security, there is no way to talk about efficiency.
Cobo has been using this system internally. After frequent security incidents, we realized that these security practices should not only belong to us, but should benefit more users. Therefore, we have productized it and launched a 30-day free trial. We hope that it can not only protect your assets, but also continuously optimize and upgrade with your feedback to make the security system more perfect.
Security is not a one-time investment, but a process of continuous evolution. As threats continue to escalate, security protection must also continue to iterate. Only with focus and persistence can we truly cope with the ever-changing risk environment.
