The Bybit vs. Safe Custody: Liability Blame Game and the Slippery Slope of Risk

crypto fraud crypto risk crypto scams crypto security Mar 21, 2025

The crypto space is buzzing with the latest drama on the record $1.5 billion centralized exchange hack and the resulting blame game. The spotlight is on Bybit and Safe Custody locked in a "he said, she said" battle over who's responsible.

It's a familiar pattern where a sophisticated attack occurs, and companies scramble to distance themselves, protect their reputations, and, of course, avoid liability. This situation highlights the slippery slope of risk in the crypto space.

What did Bybit say and who do they blame?

Bybit claims a forensic investigation, including third-party experts like Verichains and Sygnia Labs, concluded that their systems were not compromised.

Bybit issued a statement saying among other things:

"The forensic review into the targeted attack by the Lazarus Group concluded that the credentials of a Safe developer were compromised. This allowed the attacker to gain unauthorized access to the Safe(Wallet) infrastructure and totally deceive signers into approving a malicious transaction."

What was safe custody's defense?

Safe Custody pointed out that a forensic review by external security researchers did NOT find any vulnerabilities in their smart contracts or the source code of frontend services.

Safe Custody posted a tweet saying:

"Safe smart contracts unaffected, an attack was conducted by compromising a Safe {Wallet} developer machine which affected an account operated by Bybit."

What points do both parties agree on?

Yes. They both agree that a Safe developer's computer (machine) and/or credentials was compromised. It appears the developer may have been the victim of social engineering.

Key Takeaway

Security is only as strong as the weakest link and social engineering is the #1 attack vector. Duping humans is the easiest way to infiltrate systems.

Who bears ultimate responsibility?

On one side, Bybit is arguing that Safe Custody didn't provide adequate security measures. On the other side, Bybit "blind signed" a transaction that diverted funds to the infamous Lazarus North Korean hacking group. Safe could say Bybit failed to properly manage their own internal security. Regardless of who's ultimately "at fault," the scale of the hack shines a spotlight on the security interdependencies among service providers.

Bybit has flawless security systems and Safe has iron-clad smart contracts so everything appears to be buttoned up nice and tight. Then bam, a monumental hacks occurs. Everyone should assume risk is always lurking somewhere and keep focusing on where it could be on a daily basis.

Were safe custody's smart contracts compromised?

Safe's postmortem analysis reveals their smart contracts where not comprised. In addition, they already had multiple smart contract audits in the development lifecycle.

Safe.global main page highlights

Entrusted to keep your assets safe
Safe Smart Accounts are battle-tested and used more than any other
$100B total assets stored
39M total accounts deployed
274M total transactions

Key Takeaway

Iron-clad smart contracts are only one piece of the security spectrum. The most secure smart contract has little value if funds can be stolen from another attack vector.

What are the legal ramifications?

Safe.global terms focus mostly on limitation on the use of the website (frontend), are very limted in their breadth and depth, and surprisingly, don't mention any limitations of liability of their smart contracts. Here is an excerpt:

Limitation of liability

OUR LIABILITY IS EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN PARTICULAR, BUT WITHOUT LIMITATION, WE ARE NOT LIABLE FOR
INDIRECT OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS, SAVINGS OR CLAIMS BY THIRD PARTIES
ACTS OR OMISSIONS OF OUR AUXILIARY PERSONS AND SUBCONTRACTORS,
SIMPLE NEGLIGENCE.

A long-drawn-out lawsuit could ultimately write the final chapter of whether Safe Custody has liability for the hack. If Bybit maintains it's financial health and users are unaffected, they will focus on bringing down the hammer on Safe to mitigate the theft.

You have to wonder what kind of insurance coverage Safe Custody has, whether it's the right kind of coverage and has high enough limits for a hack this size.

How can future incidents be prevented?

The "slippery slope" comes into play because each incident normalizes a certain level of risk. Each hack, each security lapse, erodes trust in the entire ecosystem. What starts as a $1.5 billion hack can easily escalate into something far worse, potentially crippling the entire crypto market.

Companies need to invest in fraud training (eg. social engineering training) as much as they spend on smart contracts. If security isn't prioritized, and if we don't demand better, we're headed down a dangerous path. Security investment should focus on the weakest links, like social engineering and all the other clever backdoor methods where users get duped on a daily basis.