Hack explanation leaves CZ unsatisfied, as he raises concerns about compromised developer machines and multi-signer vulnerabilities.
Former Binance CEO Changpeng Zhao (CZ) has criticized Safe Wallet’s post-mortem update on the Bybit hack, calling it “not that great” and raising concerns about how attackers tricked multiple signers.
His comments follow an audit report stating that the breach resulted from a compromise of Safe’s infrastructure rather than the exchange’s systems.
Forensic investigations found that compromised Safe Wallet credentials led to the nearly $1.5 billion Bybit exploit. In a statement on X on Wednesday, the crypto wallet provider confirmed the findings, stating that the hack stemmed from a “compromised Safe Wallet developer machine.”
The company highlighted that the reports did not identify vulnerabilities in its smart contracts or front-end source code. It also announced that it had fully rebuilt and reconfigured its infrastructure and changed all credentials, ensuring the attack vector was “fully eliminated.”
However, CZ criticized the statement, saying:
“This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.”
He questioned what “compromising a Safe {Wallet} developer machine” meant and how the attack happened, asking whether social engineering or a virus was involved. He also inquired how the developer machine had access to an account operated by Bybit and whether the code was deployed directly to production.
Further concerns were raised about how the attackers bypassed Ledger verification, whether blind signing was involved, or if signers failed to verify properly.
On February 26, Bybit released a forensic audit conducted by Sygnia and Verichains about the attack. The audit revealed that Safe developer’s credentials had been compromised, giving hackers access to the wallet’s infrastructure, which led to signers being deceived into approving a malicious transaction.
According to the report, the exploit was carried out using “malicious JavaScript code” that had been injected into Safe’s Amazon Web Services system two days earlier. The script activated only when transactions came from specific contract addresses, including Bybit’s multi-sig contract and another address suspected to belong to the criminal.
Just two minutes after the hack, the attackers removed the malicious code from Safe’s system and disappeared. Forensic experts and the company have also confirmed that Bybit’s infrastructure was not compromised.
Since the incident, Bybit has borrowed 40,000 ETH from Bitget to meet withdrawal demands, which have since been repaid. The firm has also restored its reserves through loans, asset purchases, and whale deposits, securing 446,870 ETH valued at $1.23 billion. CEO Ben Zhou confirmed that the exchange now has 100% backing for client assets.