Security Community: Bybit attackers use "social engineering" techniques to mislead reviewers into mistaking contract changes for transfers

ChainCatcher message, according to a post by the security community Dilation Effect on platform X: "Compared to previous similar incidents, in the Bybit incident, only one signer needed to be compromised to complete the attack, as the attacker used a 'social engineering' technique.

Analyzing on-chain transactions reveals that the attacker executed a malicious contract's transfer function through delegatecall. The transfer code modifies the value of slot 0 using the SSTORE instruction, thereby changing the implementation address of Bybit's cold wallet multi-signature contract to the attacker's address. The transfer here is very clever; it only requires dealing with the person/device initiating this multi-signature transaction, and the subsequent reviewers will significantly lower their guard when they see this transfer. Because a normal person seeing a transfer would think it's just a transfer, who would know it's actually changing the contract? The attacker's methods have evolved again."