The Bybit attack used a trojan contract and a backdoor contract to turn a signed transaction into a malicious upgrade of an upgradeable Safe multisig cold wallet. Signers were tricked into authorizing a zero-token ERC-20 transfer to an unlisted contract, but the transaction executed as a delegate call and overwrote storage slot 0, replacing the wallet’s master copy with attacker-controlled code. The backdoor contract then exposed sweepETH and sweepERC20 functions that let the attacker drain native ETH and ERC-20 assets from the wallet. The write-up emphasizes that the unusual recipient, zero-token transfer, and delegate-call operation should have triggered compliance or transaction-simulation controls before signing.