The Web3 Telegraph
Posts
WazirX Exploit: Dissecting the Breach & the Blame

WazirX Exploit: Dissecting the Breach & the Blame

The Web3 Telegraph
July 20, 2024

On July 18, 2023, WazirX reported a cyberattack on one of its multisig wallets, resulting in a loss of over $230 million. According to a tweet by WazirX, the wallet, which was operated using Liminal’s digital asset custody and wallet infrastructure since February 2023, was compromised due to a sophisticated attack that exploited discrepancies in transaction data.

At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:
» Incident Overview: A cyber attack occurred in one of our multisig wallets… x.com/i/web/status/1…
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia)
4:56 PM • Jul 18, 2024

Wallet Configuration & Breach Mechanics

The wallet in question had six signatories: five were from WazirX and one was from Liminal. To make a transaction, three WazirX team members using secure Ledger Hardware Wallets needed to approve it, followed by approval from the Liminal signatory. Additionally, transactions could only be made to specific, pre-approved addresses (whitelisted addresses) set up by Liminal.

Here’s a simplified breakdown of the attack:

The wallet required multiple people to approve a transaction. This ensured that, no single person could move the money on their own.
Whitelisting Addresses: Transactions were limited to go only to certain pre-approved addresses to prevent money from being sent to unknown places.
Discrepancy Exploited: The attackers found a way to manipulate the information shown on Liminal’s interface, which is what the signatories used to approve transactions. This means what the signatories saw on their screens wasn't the actual transaction that was happening.
Payload Replacement: During the approval process, the attackers managed to replace the legitimate transaction data with their own malicious data. This tricked the system into approving a transaction that sent the money to the attackers instead of the intended safe address.
Breach Success: Despite the robust security measures, the attackers successfully gained control of the wallet by exploiting this discrepancy, leading to the theft of over $230 million.

In essence, the attack was a sophisticated trick that made the transaction look legitimate to the people approving it, while secretly redirecting the funds to the hackers.

The Blame Game: WazirX vs. Liminal Custody

In the wake of the $230 million cyberattack, WazirX and Liminal Custody have found themselves entangled in a public blame game, each pointing fingers at the other for the breach.

WazirX asserts that the attack stemmed from a discrepancy on Liminal’s interface. They argue that this mismatch between the displayed data and the actual transaction contents allowed the hacker to manipulate the transaction and gain control of the multisig wallet.

Liminal Custody maintains that their platform was not breached and that their infrastructure remains secure. They suggest that the issue lies within WazirX’s operational security.

In light of recent events, we want to clarify that Liminal's platform was not breached. Our platform continues to remain secure and fully operational for all our clients, including WazirX.
As part of our security process, we've conducted a comprehensive forensic analysis. Our… x.com/i/web/status/1…
— Liminal Custody🚀 (@liminalcustody)
12:45 PM • Jul 19, 2024

The exact mechanics of the breach are still under investigation, and both WazirX and Liminal Custody have provided different perspectives on the cause.

Liminal's Report: Key Insights & Findings

Update on WazirX Incident - Liminal Custody

(This is a condensed version of our detailed report which excludes the detailed screenshots and audit logs from our systems for security reasons. The detailed

www.liminalcustody.com/blog/update-on-wazirx-incident

In response to the exploit of WazirX's Gnosis SAFE wallet, Liminal has released a detailed report summarizing their investigation into the incident. The report underscores that Liminal’s infrastructure was not breached and that all wallets on their platform, including WazirX’s other Gnosis SAFE wallets, remain secure. The compromised wallet was a self-custodial, multisig Gnosis SAFE smart contract wallet deployed by WazirX before it was imported into Liminal's platform.

According to Liminal, the genesis of the hack stems from three compromised devices within WazirX. The attackers executed a series of sophisticated exploits to gain access to the required signatures, manipulating the transaction payloads to redirect funds. Despite the robust security measures in place, such as whitelisting and multisig configurations, the attackers leveraged client-side compromises to complete the breach. This incident highlights the importance of comprehensive security practices and the need for continuous vigilance against evolving cyber threats in the cryptocurrency space.

What is a Multisig Wallet?

A multisig wallet is set up to require multiple private keys to authorize a transaction. For example, a 3-of-5 multisig wallet requires three out of five designated private keys to sign off on a transaction before it can be executed. This added layer of security ensures that even if one key is compromised, the assets remain secure as long as the remaining keys are safe.

The WazirX attack indicates that even with multisig security, vulnerabilities in how data is displayed and verified can be exploited.

Conclusion

The WazirX exploit serves as a stark reminder for the cryptocurrency community to relentlessly improve security measures and maintain vigilance against sophisticated cyber threats. As demonstrated by the WazirX incident, even cutting edge security measures can be vulnerable if not properly managed and monitored.