HACKPROGLIB Telegram 3946
🤑 Вы уже наверняка знаете, что с кошельков криптобиржи Bybit было выведено ETH на сумму более $1,4 млрд… и замешана в этом Lazarus

Но как это произошло с технической стороны? Потихоньку начинают появляться подробности. Оставим в оригинале:

1) malicious JS injected into Safe{Wallet} at http://app.safe.global/_next/static/chunks/pages/_app-4f0dcee809cce622.js (because apparently, one of the nk devs just casually pushed it to production 🤡)

2) the JS modified executeTransaction() only if the signer was in a predefined list (Bybit’s multisig owners).

3) modified transaction now sets operation: 1 (delegatecall) to attacker address instead of a normal call.

4) delegatecall hits the attacker contract, which changed Safe contract's first storage slot which is masterCopy to a another attacker contract.

5) new masterCopy contract contained sweepETH() & sweepERC20(), draining $1.5B

Самое интересное — размеры выплат по программе багбаунти. Тот самый случай, когда продешевили 🤷‍♂️

#apt #news #назлобудня
Please open Telegram to view this post
VIEW IN TELEGRAM
😁3👍1



tgoop.com/hackproglib/3946
Create:
Last Update:

🤑 Вы уже наверняка знаете, что с кошельков криптобиржи Bybit было выведено ETH на сумму более $1,4 млрд… и замешана в этом Lazarus

Но как это произошло с технической стороны? Потихоньку начинают появляться подробности. Оставим в оригинале:

1) malicious JS injected into Safe{Wallet} at http://app.safe.global/_next/static/chunks/pages/_app-4f0dcee809cce622.js (because apparently, one of the nk devs just casually pushed it to production 🤡)

2) the JS modified executeTransaction() only if the signer was in a predefined list (Bybit’s multisig owners).

3) modified transaction now sets operation: 1 (delegatecall) to attacker address instead of a normal call.

4) delegatecall hits the attacker contract, which changed Safe contract's first storage slot which is masterCopy to a another attacker contract.

5) new masterCopy contract contained sweepETH() & sweepERC20(), draining $1.5B

Самое интересное — размеры выплат по программе багбаунти. Тот самый случай, когда продешевили 🤷‍♂️

#apt #news #назлобудня

BY Библиотека хакера | Hacking, Infosec, ИБ, информационная безопасность




Share with your friend now:
tgoop.com/hackproglib/3946

View MORE
Open in Telegram


Telegram News

Date: |

Deputy District Judge Peter Hui sentenced computer technician Ng Man-ho on Thursday, a month after the 27-year-old, who ran a Telegram group called SUCK Channel, was found guilty of seven charges of conspiring to incite others to commit illegal acts during the 2019 extradition bill protests and subsequent months. Telegram message that reads: "Bear Market Screaming Therapy Group. You are only allowed to send screaming voice notes. Everything else = BAN. Text pics, videos, stickers, gif = BAN. Anything other than screaming = BAN. You think you are smart = BAN. So far, more than a dozen different members have contributed to the group, posting voice notes of themselves screaming, yelling, groaning, and wailing in various pitches and rhythms. Step-by-step tutorial on desktop: Add up to 50 administrators
from us


Telegram Библиотека хакера | Hacking, Infosec, ИБ, информационная безопасность
FROM American