The Responsibility for Bybit’s Mishap
After a calamity occurs and the initial shock dissipates, our natural inclination is to search for someone to fault. Thus, as the commotion settles following the Bybit breach, who should bear the brunt of this (already laundered) $1.
After a calamity occurs and the initial shock dissipates, our natural inclination is to search for someone to fault. Thus, as the commotion settles following the Bybit breach, who should bear the brunt of this (already laundered) $1.5bn loss? The most convenient target would be the exchange itself, and it must be acknowledged: They bear a significant burden of accountability. Nevertheless, despite this disastrous breakdown, Bybit is not a reckless operator from the early days of crypto’s tumultuous era. It stands as a reputable and conscientious exchange that actively pursues compliance with regulations. If a behemoth like Bybit can suffer a loss exceeding a billion dollars, it highlights a more profound issue. This should raise concerns for anyone invested in the cryptocurrency realm. Unsecured Wallets  Â
To grasp the magnitude of the issue, let us examine what we understand about how Bybit clients were compromised. The exchange employed a platform named Safe for asset management, offering multisig ETH wallets. Unfortunately, Safe was susceptible to a critical security flaw in its user interface, which hackers exploited post gaining access to a Safe employee’s AWS key. Leveraging this access, they infiltrated the account and inserted JavaScript code to manipulate the appearance of transactions on Bybit users’ web-based wallets during the authorization process.Â
This catastrophe has been brewing for years and is rooted in a concern that has plagued the crypto sphere since its inception: Blind authorization. When individuals unknowingly approve fabricated transactions, the robust security measures such as multisig become futile. It is akin to fortifying your residence with sophisticated biometric access systems and multiple locks on the front door only to leave a ground-level window open.Â
Therefore, what are the shortcomings of wallets, and why has the industry failed to acknowledge this issue, let alone address it effectively?Â
Illegible AccountsÂ
Blind authorization has always posed a recognized yet uncommon and theoretical vulnerability. However, with transactions becoming increasingly sophisticated by the day, the emergence and widespread adoption of novel BTC or ETH mechanisms like smart contracts have made it incredibly daunting to verify the content being endorsed. It is simple to advocate ‘Trust, but verify,’ but the challenge intensifies when faced with scrutinizing lengthy strings of characters on a diminutive LCD screen. In the early days of crypto, it was surprising how rudimentary wallet interfaces appeared. They resembled an era of ‘Nokia’ and seemed oddly out of place in the forefront of the digital currency uprising. Many users assumed that subsequent generations of wallets would prioritize rectifying this UI flaw. Yet, fast forward a decade, these dismal, obscure interfaces have seen minimal alteration, and the issue of blind authorization has only exacerbated. A new breed of wallet is conspicuously absent. We are essentially using identical technology and interfaces dating back to the era when a solitary pizza commanded a valuation of 10,000BTC. The question then arises: Why?
Stagnant ProgressÂ
If there is a need to assign blame – and there certainly is – the wallet industry should be held accountable. They persistently and mystifyingly failed to advance their hardware and software, with notable consumer wallets still reliant on outdated smart card technology from the 1970s. This malaise extends beyond the diminutive displays; it seeps into even the cold storage devices equipped with contemporary smartphone-style screens and applications. This can be attributed to the stringent control exerted by present-day wallet providers over their environment, enforcing rigid regulations that restrict developers from customizing applications. This includes dictating the display of transactions and the level of detail communicated to the user. The dilemma of blind authorization demands a resolution. The ideal approach involves breaking down the barriers and endorsing open ecosystems that empower developers to craft their applications. This freedom would enable wallet developers to devise ways of presenting intricate transactions and contracts on hardware devices, simplifying verification and ensuring user understanding. Envision a scenario wherein Safe could have developed a complementary application for running individuals’ hardware wallets, divulging key transaction specifics that could have alerted both users and the Bybit team, averting the phishing dilemma before individuals sanctioned the transfer of their assets.Â
Nonetheless, this necessitates more than merely upgrading wallet software. It can only materialize when devices segregate applications from the wallet’s master key and afford complete customization – encompassing design, UI, and features – allowing wallet developers to furnish comprehensive functionality on the cold storage front. Unfortunately, such customization is unfeasible with the existing technology underpinning today’s most prevalent wallets.Â
User Experience: The Gateway to Enhanced SecurityÂ
One of the prevalent misconceptions in technology is that robust security compromises user experience. Contrarily, the reality affirms the reverse. A prime example lies in effortlessly comprehending the financial transactions one consents to sign. For cryptocurrency to transcend into the realm of universal adoption, we must curb these ruinous, high-profile breaches. Today’s wallet industry must confront this issue at the device level, empowering developers to innovate freely and devise applications that herald a long-awaited revolution in user experience. This approach stands as the sole means to shield cryptocurrency from the tarnishing repercussions of breaches akin to Bybit’s, simplifying procedures, precluding users from granting blank approvals, and cultivating a secure yet gratifying user journey.
About Author
