Who should be responsible for US$1.5 billion? Digging into the industry hidden dangers under Safe safety issues

Author: Fairy, ChainCatcher

Edited by: TB, ChainCatcher

The largest theft case in history, Bybit was stolen for 1.5 billion US dollars, and the problem finally came about Ethereum’s most trusted Safe? Safe ultimately failed to be as Safe as his name.

As the largest smart account ecosystem on EVM, Safe hosts more than 8 million smart wallets, storing hundreds of billions of crypto assets, and more than 200 projects are built on it. Many DAOs, foundations, and large NFT projects regard it as a "safe"-style underlying hosting solution. Such top-level security infrastructure can also be slapped in the face. Where will encryption security go?

Can Safe hackers steal everyone 's money?

According to the investigation report, it is not that there are vulnerabilities in the Safe smart contract or the front-end code itself, but that the attacker initiated malicious transactions by hacking into the device of the Safe{Wallet} developer. The attacker injects malicious code into the front end, intercepts and tampers with transaction parameters, thus realizing fund theft.

In other words, in theory, Safe hackers can inject different malicious code against different users, which means that all projects that rely on its front-end, API and other user interaction services may face similar risks. However, the attacker chose Bybit, the "fattest sheep" as his target, and other users were temporarily spared.

In other words, it is not just external hackers, but also internal members of the Safe team, in theory, that is, it is possible to use similar means to steal funds from Safe.

Bybit attack event flowchart, source: SlowMist

Whose responsibility? Who will compensate?

Safe security is directly related to most of the industry. If something like this happens to us, can we expect wallet tools like Safe to pay compensation? Let’s look at Safe’s attitude from the Bybit incident.

Looking at the terms and conditions before use of Safe, we found it wrote in Article 18:

(1) If the Safe{Wallet} application or service is provided to the user for free, CC shall only be liable for intentional, gross negligence , or CC fraudulently concealing the possible material or legal defects of the Safe{Wallet} application or service .

(2) If the Safe{Wallet} application or service is not provided to the user for free, CC shall only be liable for damages in compliance with Article (1) and for breach of basic contractual obligations. CC's liability is limited to the foreseeable, usually incurred damages. The amount of compensation usually does not exceed the total amount of fees paid by the user to Safe in the year of the damage incident , and liability for damages caused by breach of non-basic contractual obligations is not included.

In addition, it also wrote in Article 20:

We shall not be liable to you and shall not be deemed to be a breach of this Agreement if our failure to provide the Services or perform the obligations in this Agreement or result in delays in the provision of the Services due to actions beyond our reasonable control (including the occurrence of force majeure events).

" Force Majeure Events " include, but are not limited to: terrorist attacks, hacking or cyber threats, civil wars, riots or riots, wars, war threats or war preparations, armed conflicts, imposition of sanctions, embargoes or disconnections.

From the perspective of terms, the definition of responsibility is relatively vague. If Safe admits that the incident is a gross negligence, it will assume responsibility. However, under Article 20, if a hacker attack is considered a "force majeure event", Safe is not responsible for failing to fulfill the obligations in the agreement.

Community members also expressed relevant opinions:

• "No, no, no need to accompany you. It is a free service and is not suitable for managing agency-level funds. I started to say in a few years that an ordinary extra wallet is not enough to manage huge amounts of money."
• X platform user @jiyang0924 said: "Safe may not have to pay a penny. I have learned that all suppliers, including Cobo and Copper, have disclaimers in service agreements, have. Of course, I understand that in practice, the custodian cannot promise compensation, otherwise the risks and returns will be unequal."

Safe may be evaded in terms of legal liability, but from a moral point of view, Safe should consider making some compensation.

However, so far, they have not mentioned this...

The road ** to** safety is far away

Although Safe has taken a comprehensive response and rebuilds all infrastructure. But this incident still sounded a wake-up call for the entire crypto industry, revealing a cruel reality: security is not just a technical issue, but also an ecological issue.

The core of the problem is that it is necessary to establish a multi-level verification and audit process, and at the same time strengthen the monitoring and early warning mechanism of own assets. Relying on a single software or platform to handle hundreds of millions or even billions of financial processes is tantamount to dancing on the edge of a cliff. The security management model of large-scale assets urgently needs a thorough upgrade.

Security is the most important track in the crypto industry. The security of smart contracts is not the same as absolute security. Supply chain attacks, internal threats, and human errors can all become fatal weaknesses. For us personally, it is time to re-examine the way large amounts of funds are stored, as well as the security of on-chain financial management and pledges. Every crisis is a reminder: assets are safe and must never be taken lightly.

Previously, Safe Lukas Schor said in an interview that all on-chain wallets will become smart wallets within three years . So, can this goal be achieved now?