Avoiding the $1.5 Billion Bybit Attack with web3:// # What Happened? The root cause of Bybit’s historic $1.5 billion attack was finally uncovered yesterday. The attacker exploited a vulnerability by maliciously replacing the frontend of Safe hosted on its centralized server. By deploying a nearly identical frontend, they tricked Bybit operators into signing a fraudulent transaction that transferred the ownership of Bybit's multi-signature wallet to the attacker. Once they gained control, they drained the entire $1.5 billion to their own account, marking the largest financial attack in history. This attack highlights a critical weakness in the current web3 infrastructure. Despite the robust security of Ethereum's smart contracts, most web3 frontends rely on centralized components such as DNS and centralized servers, making them vulnerable to attacks with several key risks: - Integrity of Frontend Files: Frontend files can be maliciously altered through DNS hijacking or server breaches. - Transparency: Changes to frontend files are difficult to detect, with no transparent change history. We currently rely on third-party services like the Internet Archive for version tracking. - Availability: Centralized components are vulnerable to censorship (e.g., Infura blocking requests from certain regions) or server outages. # Can We Do Better for Web3? Enter web3://—a fully on-chain frontend protocol (ERC-4804/6860) designed to address these vulnerabilities. The core idea is to host the frontend on the blockchain, ensuring it enjoys the same level of security as the smart contract itself. With web3://, we can achieve: - Integrity of Frontend Files: The frontend cannot be modified without the contract owner's explicit action. Additionally, users can verify that the frontend they see matches the on-chain version using Ethereum’s light client verification technologies. - Transparency: Any changes to the frontend are made through on-chain transactions, ensuring a public, immutable change history. - Availability: By leveraging Ethereum’s network, the frontend achieves the same level of uptime as the blockchain itself — virtually 100% since genesis. # How to Use web3://? You can experience the power of web3:// today by - using our gateways, such as w3url dot io, or - through the native EVM browser: https://t.co/rMIfhmQRHr. Several project homepages, including web3://, EthStorage, QuarkChain, and even a copy of Vitalik’s blog, are already hosted on-chain and accessible via web3://. # Ongoing and Future Directions While web3:// addresses critical security issues, several challenges remain: - Storage Cost: Ethereum’s storage cost is prohibitively high — around $1M per gigabyte - a major barrier to widespread adoption. @EthStorage , an Ethereum L2 solution, aims to reduce this cost by 1000x. - Transaction Cost: The high transaction fees on Ethereum can be prohibitive, especially for frequently updated websites. The Super World Computer project by @Quark_Chain is developing a custom OP L2 designed for EthStorage as L3, providing both low transaction and storage costs. - Client-Side Verification: To guarantee file integrity, we need a robust client-side verification mechanism. Light-client verification, such as that used by Helios by @NoahCitron , is a promising approach we are actively exploring. - Browser Integration: For a seamless user experience, client-side verification should be integrated into the browser, ensuring that all web3:// websites are verified automatically. - Decentralized Access to Ethereum: To protect against censorship from centralized RPC servers, decentralized access to the Ethereum network is essential. We are collaborating with the Ethereum Portal Network to achieve this fully decentralized solution. # Want to Learn More? Visit our website for more details or contact us directly. If you’re attending EthDenver, feel free to stop by our booth! 使用 web3:// 避免 Bybit 15 亿美元攻击 # 事件回顾 Bybit 历史性 15 亿美元攻击的根本原因昨日终于被揭露。攻击者通过恶意篡改托管在 Safe 服务器上的前端页面，伪造了几乎一模一样的前端界面，诱导用户签署了一笔恶意交易，从而将 Bybit 多签钱包的所有权转移到攻击者手中。获取控制权后，攻击者迅速将全部 15亿美元转入自己的账户，造成了有史以来最大的金融攻击事件。 这一事件暴露了当前 Web3 基础设施的重大安全隐患。尽管以太坊智能合约本身具有高度安全性，但大多数 Web3 前端仍依赖于中心化组件，如 DNS 和中心化服务器，这使其面临多种风险： - 前端文件完整性：前端文件可能因 DNS 劫持或服务器攻击而被恶意篡改。 - 透明性：前端文件的变更难以察觉，且缺乏透明的变更历史。目前只能依赖第三方服务（如互联网档案馆）进行追溯。 - 可用性：中心化组件容易受到审查（如 Infura 曾屏蔽特定区域的请求）或服务器宕机的影响。 # Web3 是否能更安全？ 为了解决这些安全问题，web3:// 协议应运而生，它提供了一种完全上链的前端解决方案。其核心思想是：将前端文件托管在区块链上，使前端逻辑与应用逻辑享有同等的安全保障。这种方式带来了以下优势： - 前端文件完整性：前端文件只有在合约所有者明确操作下才能被修改。此外，用户可以通过以太坊轻客户端和验证技术，确保浏览器中显示的前端与链上版本完全一致。 - 透明性：前端文件的任何修改都需要通过链上交易进行，变更历史公开且不可篡改。 - 可用性：前端将享有以太坊网络同等的可用性 —— 自创世以来几乎 100% 的在线率。 # 如何使用 web3://？ 你可以通过以下方式体验 web3:// 的强大功能： - 使用我们的网关，如 w3url . io - 或者通过原生 EVM 浏览器： https://t.co/rMIfhmQRHr 目前，web3://、EthStorage、QuarkChain，以及 Vitalik 的博客等多个网站已上链，并可通过 web3:// 协议访问。 # 现状与未来方向 尽管 web3:// 能有效解决安全问题，但仍面临以下挑战： - 存储成本：以太坊的存储成本极高 —— 每 GB 大约 100 万美元，这成为大规模应用的主要障碍。@EthStorage 作为以太坊 L2 存储解决方案，目标是将存储成本降低 1000 倍。 - 交易成本：以太坊上的高交易费用同样是一个难题，尤其是在网站频繁更新的情况下。@QuarkChain 的 “Super World Computer” 项目正在开发专为 EthStorage 定制的 OP L2，以同时提供低交易费用和低存储成本。 - 客户端验证：为了保证文件完整性，需要可靠的客户端验证机制。我们正在积极探索轻客户端验证技术，如 Helios。 - 浏览器集成：为了提供更好的用户体验，客户端验证需集成到浏览器中，并能自动验证所有 web3:// 网站的完整性。 - 去中心化的以太坊网络访问：为避免中心化 RPC 服务器的审查风险，需要实现对以太坊网络的去中心化访问。我们正与以太坊 Portal Network 合作，推动这一完全去中心化的解决方案。 # 想了解更多？ 请访问我们的官网了解详情，或直接联系我们。如果你正在参加 EthDenver，欢迎到我们的展台交流！