Adam Back slams ‘EVM mis-design’ as root cause of Bybit hack

The cryptocurrency community is divided over the root cause of the Bybit hack, with Bitcoin advocates like Adam Back attributing it to the “mis-design” of the Ethereum Virtual Machine (EVM), while others argue operational security failures were to blame.

Blockstream co-founder Back criticized EVM technology in a Feb. 23 X post, following Bybit falling victim to one of the biggest crypto hacks in history, losing $1.4 billion in Ether (ETH)-related tokens.

“People are misunderstanding critique of repeated EVM hacks, the latest and the largest Bybit $1.4 billion missing the point: EVM can go to zero, no one cares,” Back wrote. “[The] problem is the EVM dumpster fire hurts ecosystem credibility, which unfairly bleeds over to Bitcoin,” he added.

Many in the community pushed back against Back’s EVM criticism, pointing at weaknesses in operational security around multisignature wallets rather than flaws in the EVM.

Back criticizes “EVM complexity”

“Another day, another EVM contract hack,” Back wrote on X on Feb. 22, describing EVM tech as “complex, fragile, blind-signed” and “unsecurable.”

“They’ve been losing billions per year for years straight […] Zero days since the nine-figure loss on ETH toggled again,” he added.

The cryptographer went on to say that Bybit’s incident had nothing to do with the security of its hardware wallets but rather the EVMc complexity of properly verifying a transaction on a hardware wallet. He also argued that the Bitcoin (BTC) ecosystem is free from such vulnerabilities.

“The whole point of HWW [hardware wallets] is to verify on the device screen how much you’re paying and to what address. That doesn’t work with ETH due to EVM complexity and state size; this is the problem,” Back wrote, adding that “ETH on HWW didn’t even display addresses for Bybit.”

Bitcoin isn’t immune to multisig vulnerabilities, the community responds

Still, there was no shortage of opposition to Back’s perspective on the root cause of Bybit’s hack.

“While we respect Adam Back’s viewpoint and the wider conversation it ignites about blockchain security, Hacken doesn’t fully agree that the issues highlighted by the Bybit hack are exclusive to Ethereum or the EVM,” Dima Budorin, co-founder and CEO of the cybersecurity firm Hacken told Cointelegraph.

Multisig vulnerabilities and operational complexities are a “shared challenge across ecosystems, including Bitcoin,” Budorin stated, adding:

“Even Bitcoin’s multisig setups, though simpler by design, remain susceptible to risks such as human error, phishing, or advanced attacks targeting signer devices and workflows.”

Lex Fisun, co-founder and CEO of the Swiss blockchain analytics platform Global Ledger, echoed these sentiments.

“In the latest Bybit hack, only one ETH cold wallet was affected, while other wallets remained secure,” Fisun told Cointelegraph, suggesting that the breach could have resulted from “weaknesses in operational security around cold wallet transfers rather than a fundamental flaw in the EVM itself.”

Related: Bybit has ‘fully closed the ETH gap’ CEO says after $1.4B Lazarus hack

Fisun also highlighted that Bybit’s compromised wallet was multisig, and the attackers likely tricked signers into approving a malicious transaction.

“It’s possible that the exploit came through the EVM, but we can’t confirm it at the moment,” Fisun said, adding:

“Nearly all decentralized exchanges  rely on the EVM, while centralized exchanges like Coinbase, Binance and Kraken use proprietary trading engines. Bybit isn’t decentralized, but they may have used the EVM in some capacity; to what extent remains unclear.”

As the debate continues, Ethereum co-founder Vitalik Buterin has yet to publicly address the accusations regarding the EVM’s security vulnerabilities.

According to social media reports, the Bybit hacker became the 14th largest ETH holder globally, overtaking Fidelity and Buterin.

Bybit declined to comment on whether it believes the EVM played a role in the security breach.

Magazine: ETH whale’s wild $6.8M ‘mind control’ claims, Bitcoin power thefts: Asia Express