Avoiding the $1.5 Billion Bybit Attack with Web3 Access Protocol (web3://)
What Happened?
The root cause of Bybit’s historic $1.5 billion attack was finally uncovered yesterday. The attacker exploited a vulnerability by maliciously replacing the frontend of Safe hosted on its centralized server. By deploying a nearly identical frontend, they tricked Bybit operators into signing a fraudulent transaction that transferred the ownership of Bybit’s multi-signature wallet to the attacker. Once they gained control, they drained the entire $1.5 billion to their own account, marking the largest financial attack in history.
This attack highlights a critical weakness in the current web3 infrastructure. Despite the robust security of Ethereum’s smart contracts, most web3 frontends rely on centralized components such as DNS and centralized servers, making them vulnerable to attacks with several key risks:
- Integrity of Frontend Files: Frontend files can be maliciously altered through DNS hijacking or server breaches.
- Transparency: Changes to frontend files are difficult to detect, with no transparent change history. We currently rely on third-party services like the Internet Archive for version tracking.
- Availability: Centralized components are vulnerable to censorship (e.g., Infura blocking requests from certain regions) or server outages.
Can We Do Better for Web3?
Enter web3:// — a fully on-chain frontend protocol (ERC-4804/6860) designed to address these vulnerabilities. The core idea is to host the frontend on the blockchain, ensuring it enjoys the same level of security as the smart contract itself. With web3://, we can achieve:
- Integrity of Frontend Files: The frontend cannot be modified without the contract owner’s explicit action. Additionally, users can verify that the frontend they see matches the on-chain version using Ethereum’s light client verification technologies.
- Transparency: Any changes to the frontend are made through on-chain transactions, ensuring a public, immutable change history.
- Availability: By leveraging Ethereum’s network, the frontend achieves the same level of uptime as the blockchain itself — virtually 100% since genesis.
How to Use web3://?
You can experience the power of web3:// today by
- using our gateways, such as w3url dot io, or
- through the native EVM browser: https://github.com/web3-protocol/evm-browser…. Several project homepages, including web3://, EthStorage, QuarkChain, and even a copy of Vitalik’s blog, are already hosted on-chain and accessible via web3://.
Ongoing and Future Directions
While web3:// addresses critical security issues, several challenges remain:
- Storage Cost: Ethereum’s storage cost is prohibitively high — around $1M per gigabyte — a major barrier to widespread adoption. EthStorage, an Ethereum L2 solution, aims to reduce this cost by 1000x.
- Transaction Cost: The high transaction fees on Ethereum can be prohibitive, especially for frequently updated websites. The Super World Computer project by Quark_Chain is developing a custom OP L2 designed for EthStorage as L3, providing both low transaction and storage costs.
- Client-Side Verification: To guarantee file integrity, we need a robust client-side verification mechanism. Light-client verification, such as that used by Helios by @NoahCitron, is a promising approach we are actively exploring.
- Browser Integration: For a seamless user experience, client-side verification should be integrated into the browser, ensuring that all web3:// websites are verified automatically.
- Decentralized Access to Ethereum: To protect against censorship from centralized RPC servers, decentralized access to the Ethereum network is essential. We are collaborating with the Ethereum Portal Network to achieve this fully decentralized solution.
Want to Learn More?
Visit our website for more details or contact us directly.
- Web3:// Website: web3url.io
- EthStorage Website: https://ethstorage.io/
- Twitter: https://x.com/EthStorage
- Discord: https://discord.com/invite/xhCwaMp7ps
- Telegram: https://t.me/ethstorage
