In a significant development, Indian cryptocurrency exchange WazirX has been intensively investigating a hack that resulted in the loss of over $230 million (approximately Rs. 1,924 crore) from one of its multi-signature wallets. The exchange has updated the community with its findings, emphasizing that its own infrastructure was not compromised. Instead, WazirX points to Liminal’s infrastructure as the potential vulnerability exploited by the hackers.
Internal Investigation Findings
On July 25, WazirX provided an update through its official blog, shedding light on the preliminary results of its internal investigation. The exchange stated that Liminal’s multi-party computation (MPC) wallet failed to adequately screen non-whitelisted addresses and prevent unauthorized withdrawals. This lapse in security allowed transactions to proceed to non-approved addresses, an issue that should have been intercepted by Liminal’s firewall and whitelist policies.
WazirX clarified that the execution of these transactions over Liminal’s infrastructure occurred outside of its own server ecosystem. The exchange also dismissed social media claims suggesting that it had signed any suspicious transactions days before the hack, which some speculated might have facilitated the attack.
Liminal’s Response
Liminal, which partnered with WazirX in January 2023 to manage its wallets, quickly responded to the allegations. The company asserted that its platform had not been breached and that all wallets on its infrastructure, including WazirX’s other Gnosis SAFE wallets, remained secure. Despite these assurances, WazirX is awaiting a detailed forensic analysis from Liminal to fully understand the breach’s specifics.
Aftermath and Security Measures
Following the hack, WazirX paused all trading, deposit, and withdrawal services on its platform to prevent further unauthorized transactions. The exchange is working closely with law enforcement agencies to trace the stolen funds and identify the culprits behind the sophisticated attack. Notably, Indian Web3 analysts suspect that the infamous Lazarus Group from North Korea might be involved, though this remains unconfirmed.
In an effort to recover the stolen assets, WazirX has launched a bounty program offering $23 million (approximately Rs. 192 crore) to the hacker if they return the funds. Additionally, the exchange is offering a reward of USDT worth $10,000 (roughly Rs. 8.3 lakh) to individuals who can provide information leading to the identification and freezing of the stolen assets.
Broader Implications and Government Silence
The hack, which saw the theft of 203 different crypto assets including Ether, Tether, Pepecoin, Gala, Polygon, and Shiba Inu, has raised serious security concerns. WazirX has reached out to the teams managing these cryptocurrencies, seeking assistance in tracking the stolen funds. Despite the significant financial impact, the Indian government and the Finance Ministry have remained silent on the issue.
WazirX has also alerted the Central Bureau of Investigation (CBI) about the potential compromise at Liminal’s end. This is particularly concerning as the CBI trusts Liminal for the secure storage of digital assets seized during investigations. WazirX highlighted that the malicious transaction involved upgrading the contract to transfer control to the attacker, a capability that Liminal’s interface supposedly does not allow.
Moving Forward
As the investigation continues, WazirX’s swift actions and transparent communication with its users and authorities underscore the importance of stringent security measures in the cryptocurrency industry. The exchange’s collaboration with law enforcement and its proactive approach in addressing the breach could serve as a blueprint for handling such incidents in the future.
The outcome of this investigation and the subsequent forensic analysis by Liminal will be crucial in understanding the vulnerabilities exploited in this hack and preventing similar incidents in the future. Meanwhile, the crypto community watches closely, awaiting further updates and hoping for the recovery of the stolen funds.