Bybit的150万美元安全漏洞突出了以人为本设计的重要性

最近，最近在数字资产社区通过交易量的全球第二大加密货币交易所Bybit违反了150万美元的安全漏洞。

The recent security breach for around $1.5 billion at Bybit, the world's second-largest cryptocurrency exchange by trading volume, has sent ripples through the digital asset community.

最近，通过交易量的全球第二大加密货币交易所Bybit造成的安全违反了约15亿美元的损失，已通过数字资产社区发动了涟漪。

greater than $20 billion in customer assets and processes, Bybit faced a significant challenge when an attacker exploited security controls during a routine transfer from an offline “cold” wallet to a “warm” wallet used for daily trading.

当攻击者在从离线“冷”钱包到日常交易中使用的“温暖”钱包的例行转移过程中，攻击者利用安全控制在日常交易中，攻击者利用安全管制时面临着重大挑战。

According to initial reports, the vulnerability involved a home-grown Web3 implementation using Gnosis Safe — a multi-signature wallet that uses off-chain scaling techniques, contains a centralized upgradable architecture, and a user interface for signing. Malicious code deployed using the upgradable architecture made what looked like a routine transfer actually an altered contract. The incident triggered around 350,000 withdrawal requests as users rushed to secure their funds.

根据初始报告，漏洞涉及使用GNOSIS SAFE的本土Web3实现，这是一种使用链缩放技术的多签名钱包，包含一个集中的可升级架构以及用于签名的用户界面。使用可升级的架构部署的恶意代码使看起来像常规转移实际上是一个更改的合同。当用户急于获得其资金时，该事件触发了约35万次提款请求。

While considerable in absolute terms, this breach — estimated at less than 0.01% of the total cryptocurrency market capitalization — demonstrates how what once would have been an existential crisis has become a manageable operational incident.

尽管绝对的意义相当可观，但这种违规行为（估计不到加密货币市值的0.01％）表明，曾经是一场生存危机的情况已成为可管理的运营事件。

also covered all unrecovered funds through its reserves or partner loans, further exemplifying its maturation.

还通过其储备金或合作伙伴贷款覆盖了所有未偿还的资金，进一步体现了其成熟。

Since the inception of cryptocurrencies, human error — not technical flaws in blockchain protocols — has consistently been the primary vulnerability. Examining over a decade of major cryptocurrency breaches shows that human factors have always dominated. In 2024 alone, approximately $2.2 billion was stolen.

自加密货币的成立以来，人为错误（不是区块链方案中的技术缺陷）一直是主要脆弱性。检查十年来的主要加密货币违规行为表明，人为因素一直占主导地位。仅在2024年，就被盗了约22亿美元。

These breaches continue to occur for similar reasons: organizations fail to secure systems because they won't explicitly acknowledge responsibility for them, or rely on custom-built solutions that preserve the illusion that their requirements are uniquely different from established security frameworks. This pattern of reinventing security approaches rather than adapting proven methodologies perpetuates vulnerabilities.

由于类似的原因，这些违规行为继续发生：组织无法确保系统，因为它们不会明确承认对它们的责任，也不会依靠定制的解决方案来保留其要求与既定的安全框架完全不同的幻想。这种重塑安全方法的模式而不是改编经过验证的方法使脆弱性永存。

While blockchain and cryptographic technologies have proven cryptographically robust, the weakest link in security is not the technology but the human element interfacing with it. This pattern has remained remarkably consistent from cryptocurrency's earliest days to today's sophisticated institutional environments, and echoes cybersecurity concerns in other — more traditional — domains.

尽管区块链和密码技术在密码上已证明具有稳健性，但安全性最弱的链接不是技术，而是人类元素与之接口。从加密货币的最早日子到当今复杂的机构环境，这种模式一直保持一致，并在其他（更传统的）领域中回应了网络安全关注。

These human errors include mismanagement of private keys, where losing, mishandling, or exposing private keys compromises security. Social engineering attacks remain a major threat as hackers manipulate victims into divulging sensitive data through phishing, impersonation, and deception.

这些人类错误包括对私钥的管理不善，私钥的失败，不当或暴露私钥会损害安全性。社会工程攻击仍然是一个主要威胁，因为黑客通过网络钓鱼，模仿和欺骗来操纵受害者泄露敏感数据。

Human-Centric Security Solutions

以人为本的安全解决方案

Purely technical solutions cannot solve what is fundamentally a human problem. While the industry has invested billions in technological security measures, comparatively little has been invested in addressing the human factors that consistently enable breaches.

纯粹的技术解决方案无法解决从根本上解决人类问题。尽管该行业已经投资了数十亿美元的技术安全措施，但在解决持续违反的人为因素方面，几乎没有投资相对较少的投资。

A barrier to effective security is the reluctance to acknowledge ownership and responsibility for vulnerable systems. Organizations that fail to clearly delineate what they control — or insist their environment is too unique for established security principles to apply — create blind spots that attackers readily exploit.

有效安全性的障碍是不愿承认对弱势系统的所有权和责任。未能清楚地描述他们控制的内容的组织 - 或坚持认为其环境太独特了，无法申请既定的安全原则 - 创建了攻击者很容易利用的盲点。

This reflects what security expert Bruce Schneier has termed a law of security: systems designed in isolation by teams convinced of their uniqueness almost invariably contain critical vulnerabilities that standard security practices would have addressed. The cryptocurrency sector has repeatedly fallen into this trap, often rebuilding security frameworks from scratch rather than adapting proven approaches from traditional finance and information security.

这反映了安全专家Bruce Schneier所说的安全定律：由团队隔离设计的系统几乎总是包含标准安全实践可以解决的关键漏洞。加密货币行业已经反复陷入此陷阱，通常会从头开始重建安全框架，而不是从传统的财务和信息安全性中调整经过验证的方法。

A paradigm shift toward human-centric security design is essential. Ironically, while traditional finance evolved from single-factor (password) to multi-factor authentication (MFA), early cryptocurrency simplified security back to single-factor authentication through private keys or seed phrases.

向以人为本的安全设计的范式转变至关重要。具有讽刺意味的是，尽管传统金融从单因素（密码）演变为多因素身份验证（MFA），但通过私钥或种子短语，早期的加密货币简化了安全性回到单因素身份验证。

This oversimplification was dangerous, leading to the industry's speedrunning of various vulnerabilities and exploits. Billions of dollars of losses later, we arrive at the more sophisticated security approaches that traditional finance has settled on.

这种过度简化是危险的，导致该行业的各种漏洞和利用速度迅速发展。后来，我们达到了数十亿美元的损失，我们达成了传统财务已解决的更复杂的安全方​​法。

Modern solutions and regulatory technology should acknowledge that human error is inevitable and design systems that remain secure despite these errors rather than assuming perfect human compliance with security protocols. Importantly, the technology does not change fundamental incentives. Implementing it comes with direct costs, and avoiding it risks reputational damage.

现代解决方案和监管技术应承认，尽管存在这些错误，但人类错误是不可避免的，并且设计系统仍然安全，而不是假设人类遵守安全协议。重要的是，该技术不会改变基本激励措施。实施它带有直接成本，并避免其风险会造成声誉损害。

Security mechanisms must evolve beyond merely protecting technical systems to anticipating human mistakes and being resilient against common pitfalls. Static credentials, such as passwords and authentication tokens, are insufficient against attackers who exploit predictable human behavior. Security systems should integrate behavioral anomaly detection to flag suspicious activities.

安全机制必须不仅仅是保护技术系统来预测人类错误并抵御常见陷阱。静态证书（例如密码和身份验证令牌）不足以抵抗可预测的人类行为的攻击者。安全系统应将行为异常检测集成以标记可疑活动。

Private keys stored in a single, easily accessible location pose a major security risk. Splitting key storage between offline and online environments mitigates full-key compromise. For instance, storing part of a key on a hardware security module while keeping another part offline enhances security by requiring multiple verifications for full access — reintroducing multi-factor authentication principles to cryptocurrency security.

存储在一个易于访问的位置中的私钥会带来主要的安全风险。在离线环境和在线环境之间拆分密钥存储会减轻全键折衷。例如，将键的一部分存储在硬件安全模块上，同时通过需要多个验证以进行全面访问，从而使另一部分离线保持了安全性 - 重新引入了多因素身份验证原理以加密货币安全性。

Actionable Steps for a Human-Centric Security Approach

以人为中心的安全方法可行的步骤

A comprehensive human-centric security framework must address cryptocurrency vulnerabilities at multiple levels, with coordinated approaches across the ecosystem rather than isolated solutions.

一个全面的以人为中心的安全框架必须在多个层面上解决加密货币漏洞，并在整个生态系统中采用协调的方法，而不是孤立的解决方案。

For individual users, hardware wallet solutions remain the best standard. However, many users prefer convenience over security responsibility, so the second-best is for exchanges to implement practices from traditional finance: default (but adjustable) waiting periods for large transfers, tiered account systems with different authorization levels, and context-sensitive security education that activates at

对于个人用户，硬件钱包解决方案仍然是最好的标准。但是，许多用户更喜欢便利而不是安全责任，因此第二好的是交易所实施传统金融的实践：默认（但可调节）大型转移的等待期，具有不同授权级别的分层帐户系统以及上下文敏感的安全性教育，以激活AT