Blog / Expert's Opinion
Andrew Smith Feb 27, 2025

Bybit’s Custody $1.5B Mistake: How to Make Sure Your Digital Assets Aren’t Next

The recent ByBit hack is a stark reminder of the critical importance of security in crypto. As crypto adoption grows and digital assets become more widely used, custodians face increasing pressure from hackers. With vast assets at stake, neither insurance nor certifications alone provide real protection. The only real defense is designing solutions with uncompromising security at their core. At Scalable Solutions, we leverage a decade of industry expertise to build security-first architectures, proactively shielding our clients from evolving threats.

Another day, another crypto hack - this time, Bybit found itself in the spotlight for all the wrong reasons. The attack exploited a weakness in its multisig implementation, leaving users exposed and funds drained. But here’s the thing: this wasn’t an inevitable disaster. With the right custody solution in place, this could have been nothing more than a hacker’s failed attempt.

So, let’s break down what happened and, more importantly, how our Scalable Custody Solution would have made this breach impossible.

What Went Wrong at Bybit

Bybit’s security flaw stemmed from its use of upgradable proxy contracts - a double-edged sword in asset management. This happens by using a proxy that forwards calls to an implementation contract, which can be updated as needed. While this provides flexibility, it also introduces a significant security risk: if an attacker can modify the contract logic, they can gain control over the assets governed by that contract.

Hackers manipulated users into signing a transaction that replaced Bybit’s proxy contract logic with malicious code. The result? Attackers gained control and rerouted funds before anyone could react.

This exploit is a textbook example of why public, modifiable smart contracts are a massive security risk in custody solutions. If the logic controlling asset flows can be altered, the entire system becomes a ticking time bomb.

How Our Custody Solution Prevents Such Attacks
At Scalable Solutions, we design our custody solution with zero trust and maximum security in mind. Here’s why our approach makes attacks like the Bybit hack virtually impossible:

1. No Web-Based Approvals = Minimum Chance to Be Compromised

Bybit’s attack required tricking users through a compromised UI. Our custody solution eliminates this risk entirely by using a dedicated desktop and mobile app for approvals instead of a web interface. Why does this matter?

Web interfaces are easier to spoof and compromise.
A hacker can’t inject malicious transactions if there’s no web UI to hijack.

With our approach, all the transactions are approved in a verified and trusted app.

2. No Third-Parties for sensitive operations

Unlike Bybit, we do not use public or upgradable smart contracts for asset management. Our system ensures that even if an attacker tries to reroute approvals, there’s no mutable contract logic to exploit. If it’s not upgradable, it’s not hackable in the same way.

3. On-Prem Policy Enforcement = No Unauthorized Transactions

Another fundamental security layer in our custody solution is on-prem transfer verification. Here’s how it works:

Every transfer address is checked against an allowlist before execution.
Every contract, method and parameter is verified before approval.
If anything doesn’t match predefined policies, the transaction won’t be signed.

Even if a hacker managed to spoof the UI, they still wouldn’t be able to execute unauthorized transactions because our highly secure system enforces policies locally - not in the cloud, where they could be tampered with.

4. DeFi Interactions with Full Transaction Transparency

When interacting with DeFi protocols, our custody security system doesn't just allow users to approve transactions. Instead, it:

  • Decodes and verifies every smart contract call.
  • Ensures that only pre-approved methods and limits are executed.
  • Flags and prevents unknown contract ABIs from being signed blindly.

Even if a DeFi protocol were compromised, our security layers would prevent unauthorized withdrawals by limiting them..

5. Paranoia Mode: The Ultimate Defense

For institutions requiring absolute security, we offer Paranoia Mode - a setting that locks down policy changes, except for withdrawal limits, unless the entire vault is reinstalled. Why is this a game-changer?

Even if hackers steal every key from every custody operator, they cannot alter contract policies.
The worst they could do is attempt to withdraw existing funds within set limits—but even that would require proper approvals.

In other words: total compromise still wouldn’t mean total loss.

The recent ByBit hack is a stark reminder of the critical importance of security in crypto. As crypto adoption grows and digital assets become more widely used, custodians face increasing pressure from hackers. With vast assets at stake, neither insurance nor certifications alone provide real protection. The only real defense is designing solutions with uncompromising security at their core. At Scalable Solutions, we leverage a decade of industry expertise to build security-first architectures, proactively shielding our clients from evolving threats.
Val Kuznetsov, CEO of Scalable Solutions

Conclusion: The Right Custody Solution Makes Hacks Like Bybit’s Impossible

Bybit’s hack was a painful reminder that not all custody solutions are created equal. Upgradable proxy contracts, web-based approvals, and off-prem policy storage all contributed to the disaster.

At Scalable Solutions, we built our custody system to eliminate these vulnerabilities entirely. With a secure desktop and mobile approval process, immutable security policies, and on-premise enforcement, our solution ensures that hackers can’t pull off what happened at Bybit - ever.

Ready to safeguard your assets with institutional-grade security? Let’s talk.

Expert's Opinion
Related posts
Andrew Smith Jan 8, 2025
Crypto Custody: Should Institutions Build or Buy Their Custodial Solutions?
Custody is a fundamental requirement for institutions looking to engage in crypto trading, asset management, and decentralized finance (DeFi), but the path to secure and compliant custody is not straightforward. One of the biggest decisions financial firms face is whether to build their own crypto custody infrastructure or buy from established third-party providers. Let's take a closer look: here are some pros and cons of both approaches. But first, let's answer a simple question.
Expert's Opinion
Adam Berker Jan 8, 2025
Understanding the EU Travel Rule: A Guide for Crypto Asset Service Providers (CASPs)
The EU Travel Rule mandates CASPs to share sender and recipient data for crypto transactions, enhancing transparency and AML compliance. Applicable to both EU and non-EU CASPs, it takes full effect by July 2025. CASPs must implement secure data transfers, identity verification, and risk management to ensure compliance and avoid penalties.
Legal Insights