Bybit co-founder and CEO Ben Zhou said the exchange had filled the gap in the ETH reserves following a $1.4 billion exploit last week and plans to publish an audited proof of reserves report to demonstrate this.
“Bybit has already fully closed the ETH gap; a new audited POR report will be published very soon to show that Bybit is back to 100% 1:1 on client assets through a Merkle tree. Stay tuned,” Zhou said. Bybit appears to have closed the gap with loans, whale deposits and ETH purchases, according to on-chain data from Lookonchain.
On Feb. 21, Bybit faced a significant challenge when it suffered a massive exploit, resulting in the theft of over 400,000 ETH. The attackers turned a standard multi-signature approval process into a $1.4 billion heist by presenting a fake UI to mask a malicious smart contract.
This incident marked the largest crypto hack in history, draining a substantial portion of Bybit’s ETH reserves and sparking concerns about the exchange’s liquidity and ability to meet user withdrawal demands.
To address the shortfall in its ETH reserves and maintain operational stability, Bybit quickly secured emergency liquidity through what CEO Ben Zhou described as a “bridge loan” from partners in the crypto industry. These were short-term loans to aid an entity through its transition period.
These loans are intended to cover the stolen ETH, providing Bybit with the necessary funds to manage a surge in withdrawal requests and prevent a collapse akin to a bank run. The exchange also appears to have purchased large amounts of ETH via OTC transactions to replenish its reserves.
Zhou had previously reassured users that the exchange remained solvent, claiming Bybit’s treasury and retained earnings were sufficient to cover the loss from the exploit, even if the stolen funds were not recovered, and that client assets were backed.
With the replenished ETH reserves, the exchange is expected to process all withdrawal requests normally.
The $1.4 billion attack on Bybit centered on the exchange’s multi-signature (multisig) cold wallet, which required multiple transaction approvals. In this case, the wallet was executing a routine transfer to a warm wallet (an online wallet used for operational liquidity). During this process, attackers believed to be the North Korean Lazarus Group manipulated the transaction to deceive the system and its human operators.
The attackers employed a technique described by Bybit's Zhou as a “masked” transaction. This involved altering the user interface (UI) with which the wallet signers — the individuals or systems responsible for approving transactions — interacted. The UI displayed a legitimate destination address. However, the transaction's underlying smart contract logic was maliciously altered beneath this facade.
In this case, the attackers injected fraudulent code into the transaction that the signers unknowingly approved. Instead of simply transferring funds to the warm wallet as intended, the altered smart contract redirected control of the cold wallet's assets — about 401,347 ETH, along with related tokens like liquid-staked ETH (stETH) and Mantle Staked ETH (mETH) — to an address controlled by the hackers.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
