Bybit的150萬美元安全漏洞突出了以人為本設計的重要性

最近，最近在數字資產社區通過交易量的全球第二大加密貨幣交易所Bybit違反了150萬美元的安全漏洞。

The recent security breach for around $1.5 billion at Bybit, the world's second-largest cryptocurrency exchange by trading volume, has sent ripples through the digital asset community.

最近，通過交易量的全球第二大加密貨幣交易所Bybit造成的安全違反了約15億美元的損失，已通過數字資產社區發動了漣漪。

greater than $20 billion in customer assets and processes, Bybit faced a significant challenge when an attacker exploited security controls during a routine transfer from an offline “cold” wallet to a “warm” wallet used for daily trading.

當攻擊者在從離線“冷”錢包到日常交易中使用的“溫暖”錢包的例行轉移過程中，攻擊者利用安全控制在日常交易中，攻擊者利用安全管制時面臨著重大挑戰。

According to initial reports, the vulnerability involved a home-grown Web3 implementation using Gnosis Safe — a multi-signature wallet that uses off-chain scaling techniques, contains a centralized upgradable architecture, and a user interface for signing. Malicious code deployed using the upgradable architecture made what looked like a routine transfer actually an altered contract. The incident triggered around 350,000 withdrawal requests as users rushed to secure their funds.

根據初始報告，漏洞涉及使用GNOSIS SAFE的本土Web3實現，這是一種使用鏈縮放技術的多簽名錢包，包含一個集中的可升級架構以及用於簽名的用戶界面。使用可升級的架構部署的惡意代碼使看起來像常規轉移實際上是一個更改的合同。當用戶急於獲得其資金時，該事件觸發了約35萬次提款請求。

While considerable in absolute terms, this breach — estimated at less than 0.01% of the total cryptocurrency market capitalization — demonstrates how what once would have been an existential crisis has become a manageable operational incident.

儘管絕對的意義相當可觀，但這種違規行為（估計不到加密貨幣市值的0.01％）表明，曾經是一場生存危機的情況已成為可管理的運營事件。

also covered all unrecovered funds through its reserves or partner loans, further exemplifying its maturation.

還通過其儲備金或合作夥伴貸款覆蓋了所有未償還的資金，進一步體現了其成熟。

Since the inception of cryptocurrencies, human error — not technical flaws in blockchain protocols — has consistently been the primary vulnerability. Examining over a decade of major cryptocurrency breaches shows that human factors have always dominated. In 2024 alone, approximately $2.2 billion was stolen.

自加密貨幣的成立以來，人為錯誤（不是區塊鏈方案中的技術缺陷）一直是主要脆弱性。檢查十年來的主要加密貨幣違規行為表明，人為因素一直占主導地位。僅在2024年，就被盜了約22億美元。

These breaches continue to occur for similar reasons: organizations fail to secure systems because they won't explicitly acknowledge responsibility for them, or rely on custom-built solutions that preserve the illusion that their requirements are uniquely different from established security frameworks. This pattern of reinventing security approaches rather than adapting proven methodologies perpetuates vulnerabilities.

由於類似的原因，這些違規行為繼續發生：組織無法確保系統，因為它們不會明確承認對它們的責任，也不會依靠定制的解決方案來保留其要求與既定的安全框架完全不同的幻想。這種重塑安全方法的模式而不是改編經過驗證的方法使脆弱性永存。

While blockchain and cryptographic technologies have proven cryptographically robust, the weakest link in security is not the technology but the human element interfacing with it. This pattern has remained remarkably consistent from cryptocurrency's earliest days to today's sophisticated institutional environments, and echoes cybersecurity concerns in other — more traditional — domains.

儘管區塊鍊和密碼技術在密碼上已證明具有穩健性，但安全性最弱的鏈接不是技術，而是人類元素與之接口。從加密貨幣的最早日子到當今復雜的機構環境，這種模式一直保持一致，並在其他（更傳統的）領域中回應了網絡安全關注。

These human errors include mismanagement of private keys, where losing, mishandling, or exposing private keys compromises security. Social engineering attacks remain a major threat as hackers manipulate victims into divulging sensitive data through phishing, impersonation, and deception.

這些人類錯誤包括對私鑰的管理不善，私鑰的失敗，不當或暴露私鑰會損害安全性。社會工程攻擊仍然是一個主要威脅，因為黑客通過網絡釣魚，模仿和欺騙來操縱受害者洩露敏感數據。

Human-Centric Security Solutions

以人為本的安全解決方案

Purely technical solutions cannot solve what is fundamentally a human problem. While the industry has invested billions in technological security measures, comparatively little has been invested in addressing the human factors that consistently enable breaches.

純粹的技術解決方案無法解決從根本上解決人類問題。儘管該行業已經投資了數十億美元的技術安全措施，但在解決持續違反的人為因素方面，幾乎沒有投資相對較少的投資。

A barrier to effective security is the reluctance to acknowledge ownership and responsibility for vulnerable systems. Organizations that fail to clearly delineate what they control — or insist their environment is too unique for established security principles to apply — create blind spots that attackers readily exploit.

有效安全性的障礙是不願承認對弱勢系統的所有權和責任。未能清楚地描述他們控制的內容的組織 - 或堅持認為其環境太獨特了，無法申請既定的安全原則 - 創建了攻擊者很容易利用的盲點。

This reflects what security expert Bruce Schneier has termed a law of security: systems designed in isolation by teams convinced of their uniqueness almost invariably contain critical vulnerabilities that standard security practices would have addressed. The cryptocurrency sector has repeatedly fallen into this trap, often rebuilding security frameworks from scratch rather than adapting proven approaches from traditional finance and information security.

這反映了安全專家Bruce Schneier所說的安全定律：由團隊隔離設計的系統幾乎總是包含標準安全實踐可以解決的關鍵漏洞。加密貨幣行業已經反复陷入此陷阱，通常會從頭開始重建安全框架，而不是從傳統的財務和信息安全性中調整經過驗證的方法。

A paradigm shift toward human-centric security design is essential. Ironically, while traditional finance evolved from single-factor (password) to multi-factor authentication (MFA), early cryptocurrency simplified security back to single-factor authentication through private keys or seed phrases.

向以人為本的安全設計的範式轉變至關重要。具有諷刺意味的是，儘管傳統金融從單因素（密碼）演變為多因素身份驗證（MFA），但通過私鑰或種子短語，早期的加密貨幣簡化了安全性回到單因素身份驗證。

This oversimplification was dangerous, leading to the industry's speedrunning of various vulnerabilities and exploits. Billions of dollars of losses later, we arrive at the more sophisticated security approaches that traditional finance has settled on.

這種過度簡化是危險的，導致該行業的各種漏洞和利用速度迅速發展。後來，我們達到了數十億美元的損失，我們達成了傳統財務已解決的更複雜的安全方​​法。

Modern solutions and regulatory technology should acknowledge that human error is inevitable and design systems that remain secure despite these errors rather than assuming perfect human compliance with security protocols. Importantly, the technology does not change fundamental incentives. Implementing it comes with direct costs, and avoiding it risks reputational damage.

現代解決方案和監管技術應承認，儘管存在這些錯誤，但人類錯誤是不可避免的，並且設計系統仍然安全，而不是假設人類遵守安全協議。重要的是，該技術不會改變基本激勵措施。實施它帶有直接成本，並避免其風險會造成聲譽損害。

Security mechanisms must evolve beyond merely protecting technical systems to anticipating human mistakes and being resilient against common pitfalls. Static credentials, such as passwords and authentication tokens, are insufficient against attackers who exploit predictable human behavior. Security systems should integrate behavioral anomaly detection to flag suspicious activities.

安全機制必須不僅僅是保護技術系統來預測人類錯誤並抵禦常見陷阱。靜態證書（例如密碼和身份驗證令牌）不足以抵抗可預測的人類行為的攻擊者。安全系統應將行為異常檢測集成以標記可疑活動。

Private keys stored in a single, easily accessible location pose a major security risk. Splitting key storage between offline and online environments mitigates full-key compromise. For instance, storing part of a key on a hardware security module while keeping another part offline enhances security by requiring multiple verifications for full access — reintroducing multi-factor authentication principles to cryptocurrency security.

存儲在一個易於訪問的位置中的私鑰會帶來主要的安全風險。在離線環境和在線環境之間拆分密鑰存儲會減輕全鍵折衷。例如，將鍵的一部分存儲在硬件安全模塊上，同時通過需要多個驗證以進行全面訪問，從而使另一部分離線保持了安全性 - 重新引入了多因素身份驗證原理以加密貨幣安全性。

Actionable Steps for a Human-Centric Security Approach

以人為中心的安全方法可行的步驟

A comprehensive human-centric security framework must address cryptocurrency vulnerabilities at multiple levels, with coordinated approaches across the ecosystem rather than isolated solutions.

一個全面的以人為中心的安全框架必須在多個層面上解決加密貨幣漏洞，並在整個生態系統中採用協調的方法，而不是孤立的解決方案。

For individual users, hardware wallet solutions remain the best standard. However, many users prefer convenience over security responsibility, so the second-best is for exchanges to implement practices from traditional finance: default (but adjustable) waiting periods for large transfers, tiered account systems with different authorization levels, and context-sensitive security education that activates at

對於個人用戶，硬件錢包解決方案仍然是最好的標準。但是，許多用戶更喜歡便利而不是安全責任，因此第二好的是交易所實施傳統金融的實踐：默認（但可調節）大型轉移的等待期，具有不同授權級別的分層帳戶系統以及上下文敏感的安全性教育，以激活AT