Author: Tanay Ved, Victor Ramirez Source: Coin Metrics Translation: Shan Oppa, Golden Finance

The famous cryptocurrency exchange Bybit has encountered the largest hacking attack in cryptocurrency history, and the $1.5 billion ETH in its cold wallet was stolen.

While the hacker still holds stolen assets and spreads 401,346 ETH into multiple accounts, Bybit has supplemented a $1.2 billion deficit to make ETH reserves 380,000 ETH.

The market impact is basically controlled, and compared with previous events, price fluctuations are relatively small and have a short duration.

In the past, we have seen many headlines change, narrative evolution, new projects appear and fade, and many major events that shocked the crypto industry. Since its establishment, Coin Metrics has always adhered to OPEN values: openness, pioneering, interpretive, and neutral. The articles we write reflect our values: illuminate the complex world of public blockchain, be pioneers at the forefront of the crypto market, and keep editorial neutral to maintain the integrity of our research.

Ironically, as we think about the content of Issue 300 and reflect on the eternal themes of cryptocurrency history, we experience crises that often occur in the industry : Bybit exchange became the victim of the largest exchange hacker attack in history. In this article, we will focus on Bybit exchange hacking incidents, using on-chain data to analyze exchange reserves, capital flows and analyze their impact on the market.

Shockingly, Bybit, one of the largest cryptocurrency exchanges, was hacked, losing about $1.5 billion worth of ETH. This incident is one of the largest cryptocurrency hacks ever, surpassing even the infamous Mt.Gox collapse and FTX implosion. While wider contagion has been under control, studying this series of events and its on-chain footprint can provide valuable background information about hacker attacks and their market impact.

Although it happened in the pastThe famous hacking incident stems from a series of security vulnerabilities, but Bybit's attack occurred during routine transfer of ETH from the platform's multi-signature cold wallet to hot wallet, which occurred in the standard operating procedures for centralized exchanges to manage user funds. Soon after, Bybit CEO Ben Zhou confirmed the hack and assured users of the exchange's financial stability and its ability to meet withdrawal requests during the live broadcast.

This attack targets the signers of Bybit cold wallets, "blocking" the user interface of the Safe wallet (the wallet provider used by Bybit) and changing the underlying layer Smart contract code. This tricks signatures into approving malicious transactions, thus granting attackers full access to Bybit Ethereum cold wallet.

As of 2:16 pm UTC time, shortly after the attacker's account was created, the hacker 401,346 ETH (worth $1.1 billion) has been controlled and funds from Bybit’s cold wallet have been stolen. It is reported that the stolen assets of the entity also include Ethereum-staking derivatives such as stETH, with a total amount of US$1.5 billion.

While exchanges like Bybit operate off-chain like centralized entities, on-chain data can track exchange wallets, counterparties and capital flows in real time Condition. Coin Metrics tags the often complex operational structure of exchange wallets, allowing us to track the flow of funds from exchanges to hacker wallets and even further away.

As shown in the above image, 401,347 ETH flows into Bybit's cold wallet (0x1d…) Hacker account (0x47…), and the funds were then spread across more than 40 accounts, each with multiple deductions of 10,000 ETH. While the perpetrators still control the assets, a portion of the funds are transferred to a decentralized exchange (DEX) and bridged to other networks such as Solana for redemption for native assets that cannot be frozen without central authority.

From the exchange's perspective, we can see Byte, with the February 21 event unfolding, Bybit's ETH outflow was about 12$100 million. This has brought the total supply of ETH on Bybit to 60,000 ETH from 438,000 ETH at the end of the day. As the news of the hacker attack spread, Bybit's BTC exchange supply also fell by 21,000 BTC (as of February 23), and users' demand for withdrawals continued to increase.

However, from subsequent capital inflows, Bybit has successfully compensated for the $1.2 billion deficit, including secured loans, conducting over-the-counter transactions and users deposit. This is confirmed by a reserve audit conducted by Hacken, confirming that all major assets, including ETH, maintain a collateral ratio of over 100%. Bybit has reserves of 380,000 ETH as of February 24.

Bybit hacking incident left aftershocks on the market. Shortly after the hack, ETH plummeted from $2,850 to $2,600, and Bybit’s ETH-USDT market was slightly discounted in a few hours compared to other well-known markets. The gap between Bybit and other markets narrowed over the weekend, and ETH even resumed its pre-hacking price levels earlier Sunday.

We have written about the impact of previous hackers on the market before, and this hacker attack seems to have a much smaller impact than in the past few years. The market is mature enough to handle the shocks of this scale without hesitation, let alone pose an existential risk to the exchange or the industry as a whole.

While most stablecoins maintain pegs to the US dollar, another one is worth it The contagion to note is a brief decoupling of Ethena USD (USDe). USDe fell below $0.96, but began to rebound the next day.

Ethena does rely on exchanges such as Bybit to execute hedging strategies to maintain its peg, but it is important that Ethena USD stores assets that support its stablecoins at the institutional level in the custodian, not inside Bybit (or any exchange). Only margin required to hedge short positions is deposited on exchanges such as Bybit. Most of the collateral remains off the market and are not affected by Bybit’s direct risks.

To better understand this, we can refer to the Silicon Valley Bank (SVB) crisis To compare, the crisis caused USDC to decouple in March 2023 nearly two years ago*. USDC decoupled for a few days and dropped to $0.88 due to concerns that Circle’s reserves were entrusted in SVB.

Correspondingly (and important), both incidents occurred on Friday. While USDC holders are vulnerable to traditional finance’s shutdown during non-working hours, the secondary impact of Bybit hacking on the market was self-corrected over the weekend. Overall, infection is largely under control. The community works together to ensure the security of funds and ByBit is able to meet its customer obligations.

While Ethena USD is not affected by exchange rate risks, USDe (and other stablecoins) are not immune to custody risks. Without warnings of custody risks, the story of the exchange hacker incident is incomplete, so we will end with this cliché saying: it is not your key, it is not your coin.

*Of course, these two incidents are not completely comparable: one is a bank run, resulting in a small portion of stablecoin reserves being locked, and All of this is the loss of funds directly caused by theft. In this case, the relative size of the crypto assets that are "lost" is comparable. $3.3 billion of USD 40 billion USDC is locked in Circle’s SVB account, while Bybit accounts for 15% of USDe’s “support”, or about $6 billion to $900 million.

Bybit hacking is another test of the resilience of the cryptocurrency industry. Over the past few years, this has been crucial not only to the exchange, but to the entire market. Miraculously, the community works together to track funds flowing to hackers, identify malicious actors, verify custodians’ solvency in real time, and mitigate the damage this crisis may have. This work cannot be done so quickly and efficiently without public tools, data and a culture of transparency.

The industry must now consider attacks from hostile actors and regulators. While damage within the ecosystem seems to be largely under control, this event is becoming increasingly integrated with the broader international financial system.Will cause safety concerns. The industry will be responsible for addressing these reasonable concerns and demonstrating the value of a license-free architecture.