By modifying stor0, attackers replaced the legitimate GnosisSafe implementation (0x34cfac646f301356faa8b21e94227e3583fe3f5f) with their backdoored contract (0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516), gaining full control of the wallet. The breach, attributed to North Korea’s Lazarus Group via blockchain fingerprinting, resulted in the theft of 401,346.76 ETH (valued at $1.12 billion) through meticulously engineered delegatecall operations targeting Gnosis Safe’s multisig architecture. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The incident underscores critical vulnerabilities in multisig wallet implementations, prompting Safe{Wallet} to mandate EIP-1271 signature validations for all contract upgrades. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. This payload executed a seemingly benign transfer() function that overwrote slot0 storage – the critical memory location storing the proxy’s implementation address. Attackers initiated the exploit through a malicious implementation contract (0x96221423681a6d52e184d440a8efcebb105c7242), deploying a nested delegatecall structure. She is covering various cyber security incidents happening in the Cyber Space. Attackers exploited Safe{Wallet}’s AWS-compromised UI to display legitimate transaction details while masking the proxy upgrade. Signers approved what appeared as routine ETH transfers, unaware of the embedded SSTORE operation modifying slot0.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 06:50:19 +0000