Bybit, a leading cryptocurrency exchange, recently lost approximately $1.5 billion in Ethereum (ETH) due to a hack. The incident was caused by a breach in its multi-signature (multi-sig) cold wallet.
This was one of the largest digital heists to date and has raised concerns about the security of digital wallets, particularly cold wallets.
While cold wallets are often considered the most secure method to store crypto, this incident reveals they are not foolproof.
Let’s break down how cold wallets can be hacked or compromised. We will also highlight some common misconceptions about cold wallet security and how you can better protect your digital assets stored in a cold wallet.
How Can Your Cold Wallet Be Hacked?
Cold wallets, often deemed the gold standard for crypto security, store private keys offline to protect against online threats. However, the Bybit hack underscores that cold wallets are not impervious to attacks.
According to the article by businessinsider.com, the hack on Bybit occurred as the company attempted a routine transfer from their cold wallet to a warm wallet. In a post on X, the CEO of Bybit, Ben Zhou stated that the transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.
This breach highlights that even offline storage solutions can be compromised through sophisticated methods. It also reminds us of the hacking vulnerabilities of smart contracts.
Common Misconceptions About Cold Wallet Security
Some beginner crypto investors may mistakenly believe that storing assets in a cold wallet guarantees absolute security.
While cold wallets offer enhanced security by storing private keys offline, it is not hack-proof. The offline nature only reduces exposure to online threats but it doesn’t completely eliminate other risks such as:
- Human Error:
There is always an element of risk whenever someone transfer funds between cold and hot wallets. Weak security practices and insider threats may cause the private keys to be exposed to unauthorized users. - Supply Chain Attacks:
Before the cold wallet reaches the user, the hardware may have been compromised. Commercial cold wallets owned by companies may even be favorite targets for hackers. - Physical Theft:
You should give some serious thought to where you store your cold wallet even if you are just an individual. If you are a popular crypto influencer, beware that your cold wallet may be targeted by those close to you. - Compromised Multi-Sig Setups:
As seen in the Bybit hack, flaws in multi-signature configurations can allow attackers to bypass required signatures.
Tech Tip: Protect your online privacy.
A lot of what you do online is tracked. There is no way to completely block or avoid all Internet trackers, but you can at least use a Virtual Private Network (VPN). Use my affiliate link below to get your VPN offer and I may get a commission if you make an online purchase at Namecheap’s website.
Start your free trial with Namecheap FastVPN!
How Your Cold Wallet Can Be Compromised
How Hackers Exploit Smart Contracts
There are a myriad of methods that hackers can employ to exploit vulnerabilities in smart contracts. The details will be too technical for the layman to understand but here are just some known methods:
- Code Flaws: Bugs in contract code can be manipulated.
- Reentrancy Attacks: Exploiting recursive calls to drain funds.
- Logic Errors: Mistakes in contract logic can allow unauthorized withdrawals.
- Upgrade Loopholes: Contracts with upgrade functions may be hijacked.
Just like any other online digital system, there is no smart contract that is totally hack-proof. Protecting any online digital system against hackers is an on-going battle and this is why cybersecurity professionals are some of the most highly paid IT professionals in the world.
For the common user, it will thus be wise to only use smart contracts and platforms that follow strict security standards.
How to Secure Your Cold Wallet
Use Multi-Factor Authentication (MFA)
Do not assume that MFA is only important for online systems. To better protect your cold wallets, consider using hardware security keys and best to avoid SMS based MFA that is known to have security flaws.
Conduct Regular Security Audits on your Cold Wallet
Even if you are just an individual investor, you should regularly check your cold wallet setup, including the hardware and software components.
Bear in mind that your cold wallet is not totally protected from malware. Therefore, make sure you use your cold wallet on secure computer devices and only download firmware from official sources.
If your company owns multiple cold wallets, consider hiring third-party cybersecurity experts to conduct thorough and objective audits.
Strengthen Physical Security Measures of your Cold Wallet
Never assume that the location where you store your cold wallets will be totally safe from theft or natural disasters. Hence, you should store your cold wallet devices in fire and tamper proof safes that are located in a secure facility.
If you own multiple cold wallets, consider keeping them in different geographic locations. You never know when the funds may come in handy during an emergency.
Last but not least, make sure only authorized personnel can access your cold wallets.
Enhance Multi-Signature Cold Wallet Configurations
Multi-sig wallets require multiple private keys to approve transactions, but they need careful setup.
You should at least ensure the private keys are stored in separate physical locations and use independent custodians to manage different keys.
Secure Your Supply Chain
Hardware cold wallets can be tampered with even before you open the box.
Therefore, you should always purchase directly from trusted manufacturers and resellers. Do not be tempted to buy from online marketplaces even if the seller’s profile looks honest.
The first thing to do when you receive the package is check for physical tampering. There should be a high grade tamper-proof seal on the package.
Develop Strict Operational Procedures
In many cases, human error has been the cause of breaches. So, always double check what you are doing before signing off on the transaction.
When moving funds with cold wallets, you should create step-by-step protocols for all wallet operations.
For example, when signing transactions, make sure you are using an air-gapped computer. Air-gapped computers are physically isolated from the Internet or other less secure networks to reduce the risk of data leakage and protect sensitive information.
Implement a transaction delay mechanism that will allow time to detect unauthorized attempts.
Employee Education and Access Control
Phishing and social engineering tactics are widespread in cyberspace and they are commonly used by hackers to attempt to steal personal details in order to breach into secured systems. Training yourself or your employees on how to recognize threats will be your first line of defense.
When you are dealing with any assets that are of high value, you should apply the principle of least privilege. That means only grant access to those who truly need it. Especially when a large sum of money is involved, even the supposedly most honest person you know can be tempted to betray you.
In a company setting, you should enforce strict offboarding protocols to revoke access from departing employees immediately.
Backup and Disaster Recovery Plans
Despite all the precautionary measures, you should still prepare for your cold wallets to go missing, stolen or damaged.
Remember that your crypto funds are actually stored on the blockchain and not on the hardware. As long as you still have your private keys, you can still access your funds.
Therefore, you should maintain encrypted backups of private keys and store them in a secured location. Recovery phrases must never be stored on online cloud services or connected to the Internet.
You should also make it a habit to regularly test recovery procedures to ensure you can quickly regain access to funds.
Tech Tip: Achieve work-life by going digital.
Don’t neglect to take advantage of the wide variety of digital tools, services and resources that can grant you freedom from traditional work culture. Use my affiliate link below to explore digital tools offered by Namecheap. I may earn a commission if you make an online purchase at Namecheap’s website.
Namecheap New Business Hub – best offers for digital entrepreneurs.
Final Thoughts
The Bybit hack serves as a stark reminder that cold wallets are not invincible. Blockchain technology is inherently secure, but human error, operational oversights, and smart contract vulnerabilities can still lead to catastrophic losses.
In conclusion, to better protect your crypto funds:
- Setup multiple layers of defenses, No single solution is sufficient.
- Regularly review and update your security protocols.
- Always keep up-to-date about the latest threats and prevention techniques.
