Lightspeed Newsletter Segment

This is a segment from the Lightspeed newsletter. To read full editions, subscribe.

Yesterday, Bybit CEO Ben Zhou posted on X that the platform’s $1.4 billion hack was caused by malicious code originating from Safe{Wallet}’s infrastructure. Solana CEOs described the situation using phrases like “nightmare season,” “holy hell,” and “holy shit.”

Preliminary reports suggest that Safe’s frontend was exploited to trick Bybit into signing a malicious transaction, while Safe’s actual smart contracts functioned correctly. However, the alarming reactions stem from the fact that exploitable wallets allow hackers access to vast amounts of assets — with Safe’s smart accounts securing over $100 billion in digital assets.

In this context, the potential for hackers to escalate their attacks beyond Bybit is significant.

Squads, a multisig wallet used by notable Solana teams such as Helium, Kamino, Pyth, Helius, Drift, Jupiter, and Ellipsis, is currently “conducting a comprehensive review of our infrastructure to mitigate the possibility of such an attack,” according to CEO Stepan Simkin.

Simkin highlighted the necessity for “high value accounts” to have dedicated wallet solutions, as sophisticated hackers can “potentially compromise any frontend.”

The Bybit hackers, linked by the FBI to North Korea, injected malicious code into Safe’s JavaScript files, manipulating Bybit’s multisig transactions and redirecting funds to the attacker’s address, according to a report from the blockchain security firm Slowmist. While the crypto industry emphasizes auditing smart contracts, it tends to neglect “conventional infrastructure,” such as leaked Amazon Web Services credentials, which was a key factor in this incident, noted Simkin.