Difficulty

Intermediate

Read Time

9 min

How a Single JavaScript File Bypassed a $1.5B Multi-Sig: Anatomy of the Bybit Hack

By Codcompass Team·2026-05-10·9 min read

The Frontend Supply Chain: Why Multi-Sig Signatures Aren't Enough

Current Situation Analysis

The cryptocurrency custody landscape has spent the last decade optimizing for cryptographic certainty. Multi-signature wallets, formal verification, and mathematical invariants form the bedrock of institutional security. Yet, the February 21, 2025, Bybit incident revealed a critical architectural blind spot: the human verification layer between the browser and the hardware wallet.

When 401,347 ETH (valued at $1.5 billion) was drained from Bybit's cold storage, the smart contracts executed flawlessly. The Gnosis Safe multi-sig logic held. Elliptic curve signatures were mathematically valid. The failure occurred entirely off-chain, within the web interface supply chain. State-sponsored operators infiltrated the deployment pipeline hosting the Safe{Wallet} frontend, injecting a dormant JavaScript bundle into the React asset pipeline. The script remained inactive for standard traffic but triggered a payload substitution when it detected a high-value multi-sig session. The browser UI displayed a routine internal transfer to a legitimate warm wallet, while the underlying transaction calldata was silently rewritten to route funds to an attacker-controlled contract.

This attack vector succeeds because traditional security models operate on a flawed trust assumption: that a cryptographically valid signature from an authorized custodian equals legitimate intent. Smart contract audits, fuzzing suites, and invariant checkers are designed to verify on-chain state transitions. They treat the transaction payload as a given. They do not validate how that payload was constructed, transmitted, or rendered to the human approver.

Hardware wallets compound the problem. Multi-sig execution typically routes through proxy contracts and execTransaction calls, generating complex, nested calldata that exceeds the display and decoding capabilities of standard Ledger or Trezor firmware. When devices cannot parse the payload, they default to blind signing, presenting custodians with a raw hexadecimal hash and a generic approval prompt. Trusting the browser interface, signers approve the hash. The cryptography works exactly as designed. The intent does not.

The industry has systematically underestimated frontend integrity because it falls outside the EVM boundary. Security budgets are allocated to Solidity audits, formal verification, and bug bounties targeting contract logic. Meanwhile, the deployment pipeline, content delivery networks, and browser execution environment remain largely unmonitored. This asymmetry creates a high-reward, low-friction attack surface that adversaries now prioritize over direct cryptographic or smart contract exploitation.

WOW Moment: Key Findings

The Bybit incident forces a recalibration of security investment. The table below contrasts traditional smart contract security layers against the frontend/integration attack surface, highlighting detection gaps and mitigation requirements.

Security Layer	Primary Attack Vector	Detection Rate in Standard Audits	Mitigation Complexity
Smart Contract Logic	Math/Invariant flaws	85-90%	Medium (formal verification/fuzzing)
Multi-Sig Execution	Blind signing/Calldata mismatch	<15%	High (requires firmware/policy changes)
Frontend Supply Chain	Bundle injection/UI spoofing	<5%	Medium-High (CSP/SRI/immutable hosting)
Custodian Workflow	Social engineering/Session hijack	<10%	High (MFA/hardware isolation/training)

This data reveals a structural imbalance. Over 90% of audit effort targets contract logic, yet the highest-value exploits now bypass the EVM entirely by manipulating the transaction construction pipeline. The finding matters because it shifts the security paradigm from verifying mathematical correctness to verifying transaction lifecycle integrity. When the frontend can lie about destination addresses and amounts, cryptographic signatures become execution commands for malicious intent. Closing this gap requires treating the browser environment, deployment pipeline, and hardware wallet firmware as a single, contin

uous trust boundary.

Core Solution

Securing multi-signature execution requires a pipeline that validates transaction integrity at three distinct stages: frontend asset verification, pre-execution state simulation, and hardware wallet payload decoding. The architecture replaces blind trust with cryptographic verification at each handoff.

Step 1: Frontend Asset Integrity Verification

Static asset injection succeeds when deployment pipelines lack cryptographic binding between source code and served bundles. Implement Subresource Integrity (SRI) hashes combined with strict Content Security Policies (CSP) to prevent unauthorized script execution.

// integrityVerifier.ts
import { createHash } from 'crypto';

export class AssetIntegrityVerifier {
  private expectedHashes: Map<string, string>;

  constructor(bundleManifest: Record<string, string>) {
    this.expectedHashes = new Map(
      Object.entries(bundleManifest).map(([path, hash]) => [path, hash])
    );
  }

  public verifyBundle(bundlePath: string, rawContent: string): boolean {
    const expected = this.expectedHashes.get(bundlePath);
    if (!expected) return false;

    const computed = createHash('sha384')
      .update(rawContent)
      .digest('base64');

    return `sha384-${computed}` === expected;
  }
}

Architecture Rationale: SRI hashes bind served JavaScript to a known cryptographic fingerprint. If a deployment pipeline is compromised and a bundle is altered, the hash mismatch triggers a runtime abort before any transaction logic executes. This prevents dormant injection scripts from loading in the first place.

Step 2: Pre-Execution State Simulation

Never trust the frontend UI to represent the actual state change. Route all transaction payloads through an isolated simulation environment before presenting them to custodians.

// transactionSimulator.ts
import { ethers } from 'ethers';

export interface SimulationResult {
  success: boolean;
  stateChanges: Record<string, string>;
  error?: string;
}

export class TransactionSimulator {
  private provider: ethers.JsonRpcProvider;
  private simulationEndpoint: string;

  constructor(rpcUrl: string, simEndpoint: string) {
    this.provider = new ethers.JsonRpcProvider(rpcUrl);
    this.simulationEndpoint = simEndpoint;
  }

  public async dryRun(
    targetContract: string,
    calldata: string,
    value: bigint
  ): Promise<SimulationResult> {
    try {
      const response = await fetch(this.simulationEndpoint, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          contract: targetContract,
          data: calldata,
          value: value.toString(),
          blockTag: 'latest'
        })
      });

      const result = await response.json();
      
      if (!result.status || result.revert) {
        return { success: false, stateChanges: {}, error: result.error || 'Simulation failed' };
      }

      return {
        success: true,
        stateChanges: result.stateDiff || {}
      };
    } catch (err) {
      return { success: false, stateChanges: {}, error: 'Simulation endpoint unreachable' };
    }
  }
}

Architecture Rationale: Independent simulation decouples transaction validation from the signing interface. By routing calldata through a dedicated simulation API (Tenderly, Foundry Anvil, or custom RPC), you verify exact state mutations before any hardware wallet interaction. If the simulation detects fund routing to an unapproved address or unexpected balance shifts, the pipeline halts execution regardless of UI rendering.

Step 3: Clear Signing Payload Formatter

Hardware wallets cannot natively decode complex proxy calldata. Implement a payload formatter that extracts human-readable parameters and structures them for clear signing displays.

// clearSignFormatter.ts
import { ethers } from 'ethers';

export interface ClearSignPayload {
  destination: string;
  amount: string;
  token: string;
  method: string;
  rawCalldata: string;
}

export class ClearSignFormatter {
  private abi: ethers.Interface;

  constructor(contractAbi: string) {
    this.abi = new ethers.Interface(contractAbi);
  }

  public decodeTransaction(calldata: string): ClearSignPayload {
    const parsed = this.abi.parseTransaction({ data: calldata });
    if (!parsed) {
      throw new Error('Unable to parse transaction calldata');
    }

    return {
      destination: parsed.args[0] as string,
      amount: ethers.formatEther(parsed.args[1] as bigint),
      token: 'ETH',
      method: parsed.name,
      rawCalldata: calldata
    };
  }

  public formatForHardware(payload: ClearSignPayload): string {
    return [
      `Method: ${payload.method}`,
      `Recipient: ${payload.destination}`,
      `Amount: ${payload.amount} ETH`,
      `Verify address matches your records before signing.`
    ].join('\n');
  }
}

Architecture Rationale: Clear signing bridges the hardware wallet decoding gap. By parsing calldata client-side and formatting it into explicit, human-readable fields, custodians verify actual transaction parameters on the physical device screen. This eliminates the blind signing fallback that enabled the Bybit exploit. The raw calldata remains available for cryptographic verification, but the approval decision is based on decoded intent.

Pitfall Guide

1. Assuming Valid Signature Equals Valid Intent

Explanation: Cryptographic signatures only prove that a private key authorized a specific hash. They do not validate the human intent behind that hash. If the frontend lies about the payload, the signature authorizes the lie. Fix: Decouple signature validation from intent verification. Require independent simulation and clear signing displays before any approval.

2. Relying on Default Hardware Wallet Calldata Rendering

Explanation: Standard Ledger/Trezor firmware cannot parse nested proxy calls or multi-sig execution payloads. They default to blind signing when decoding fails. Fix: Implement custom transaction decoders or use hardware wallet firmware that supports clear signing for your specific contract ABIs. Never approve raw hex without decoded context.

3. Neglecting Content Security Policies in Admin Dashboards

Explanation: Multi-sig interfaces often lack strict CSP headers, allowing injected scripts to execute, modify DOM elements, or intercept network requests. Fix: Deploy restrictive CSP policies that whitelist only approved script sources, disable inline execution, and block unauthorized fetch/XHR calls. Apply SRI hashes to all static assets.

4. Skipping Pre-Execution State Simulation

Explanation: Frontend UIs render transaction previews based on client-side logic. If that logic is compromised, the preview matches the malicious payload. Fix: Route all transactions through an isolated simulation environment that independently calculates state changes. Block execution if simulation output diverges from expected parameters.

5. Using Mutable Cloud Storage for Critical Interfaces

Explanation: Hosting admin interfaces on mutable storage (S3, standard CDNs) allows attackers with write access to replace bundles without triggering version control alerts. Fix: Transition to immutable hosting solutions (IPFS, Arweave, or ENS-resolved content hashes) for high-value custody interfaces. Pin deployments to cryptographic content identifiers.

6. Ignoring Proxy Contract Calldata Complexity

Explanation: Multi-sig execution routes through proxy contracts, generating calldata that exceeds standard decoding limits. Engineers assume hardware wallets will display transaction details. Fix: Map proxy execution paths to explicit decoding routines. Maintain ABI registries for all multi-sig modules and ensure clear signing pipelines can parse nested execTransaction calls.

7. Treating Frontend Security as a Separate Discipline

Explanation: Smart contract auditors rarely review frontend deployment pipelines, while web engineers rarely understand multi-sig execution flows. This creates a security vacuum. Fix: Integrate frontend integrity checks into the same security review process as contract audits. Require threat modeling that spans browser environment, deployment pipeline, and hardware wallet firmware.

Production Bundle

Action Checklist

Asset Integrity: Generate and embed SRI hashes for all frontend bundles during CI/CD builds
CSP Enforcement: Deploy strict Content Security Policies blocking inline scripts and unauthorized domains
Simulation Pipeline: Route all multi-sig transactions through an independent dry-run endpoint before signing
Clear Signing: Implement ABI-based payload decoders that format transaction parameters for hardware wallet displays
Immutable Hosting: Migrate critical admin interfaces to content-addressed storage (IPFS/Arweave/ENS)
Firmware Policy: Enforce clear signing firmware requirements for all custodian hardware wallets
Circuit Breakers: Configure on-chain rate limits and timelocks to mitigate damage if a malicious transaction slips through
Audit Scope Expansion: Include frontend supply chain and transaction lifecycle in all security review checklists

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Institutional Cold Storage	Clear signing + independent simulation + immutable hosting	Maximizes intent verification and eliminates blind signing risk	High (infrastructure + firmware)
Mid-Tier Treasury Management	SRI verification + CSP + simulation pipeline	Balances security with deployment velocity	Medium
Developer Testing Environments	Standard multi-sig + local simulation	Acceptable risk for non-production assets	Low
High-Frequency Operations	Automated simulation + hardware wallet policy enforcement	Reduces manual approval friction while maintaining integrity	Medium-High

Configuration Template

# nginx.conf - Strict CSP + SRI Headers for Multi-Sig Interface
server {
    listen 443 ssl;
    server_name custody.yourdomain.com;

    # Content Security Policy
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted-cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://simulation-api.example.com https://rpc.yournetwork.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;

    # Subresource Integrity Enforcement
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Disable caching for critical bundles
    location /static/bundles/ {
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Pragma "no-cache";
    }
}

// simulation.config.json
{
  "endpoints": {
    "rpc": "https://mainnet.infura.io/v3/YOUR_KEY",
    "simulation": "https://api.tenderly.co/simulate",
    "fallback": "https://anvil.yourdomain.com"
  },
  "policies": {
    "maxValueThreshold": "100000000000000000000",
    "allowedDestinations": ["0xWarmWallet1", "0xWarmWallet2"],
    "blockUnknownRecipients": true,
    "requireClearSign": true
  }
}

Quick Start Guide

Generate Bundle Hashes: Run your build pipeline with SRI generation enabled. Store hashes in a version-controlled manifest file.
Deploy CSP Headers: Apply the provided Nginx configuration to your custody interface. Verify headers using browser developer tools.
Initialize Simulation Client: Configure the TransactionSimulator class with your RPC and simulation endpoints. Test with a dummy transaction to verify state diff output.
Integrate Clear Signing: Load your multi-sig contract ABI into the ClearSignFormatter. Connect to your hardware wallet SDK and verify that decoded parameters display correctly on the physical device.
Enforce Pipeline Gates: Add simulation and SRI verification as mandatory checks in your CI/CD workflow. Block deployments that fail integrity or simulation thresholds.

The Bybit incident demonstrated that cryptographic guarantees are only as strong as the environment that presents them to humans. Securing multi-signature execution requires treating the browser, deployment pipeline, and hardware wallet as a single, continuous trust boundary. Verify assets cryptographically. Simulate state changes independently. Decode payloads for human verification. When you close the gap between what the interface shows and what the blockchain executes, signatures become true expressions of intent rather than execution commands for compromised UIs.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back