Verichains analyzed the February 21, 2025 Bybit hot wallet exploit, where a malicious transaction upgraded the Bybit Hot Wallet Proxy implementation through a SafeWallet call. The on-chain flow involved an attacker-controlled call to the proxy, delegatecalls through the legitimate GnosisSafe contract, and a crafted delegatecall payload pointing to a malicious implementation contract. The malicious contract’s transfer function changed proxy storage slot 0, replacing the legitimate implementation with attacker-controlled code. After a 90 USDT test transfer, the attacker transferred 401,346.76 ETH from the compromised wallet. The excerpt does not attribute the activity to a threat actor, but the technical sequence is useful for understanding how delegatecall abuse and proxy implementation changes enabled the theft.