The WazirX cryptocurrency exchange was hacked on July 18. According to a report from the exchange’s team on July 25, there is no proof that the computers used by WazirX signers were hacked.
There may have been a breach in the system of Liminal, the multi-party computation (MPC) wallet service that WazirX used, which led to the $235 million hack.
Liminal had earlier put out a report saying that the breach was caused by hacked cryptocurrency exchange machines. However,
WazirX’s most recent results say that this is not true stating:
“Our preliminary findings have not found any evidence that WazirX signers’ machines were compromised.”
The Cryptocurrency Exchange team is doing a thorough forensic analysis and will share direct proof as soon as it’s done.
WazirX’s Liminal Security Flaw
In its report, WazirX says that the attack used three WazirX signatures and one Liminal signature, along with transactions that went through Liminal’s infrastructure. The Liminal MPC wallet was supposed to stop transfers to addresses that weren’t on a whitelist, but it failed to function this time.
The report also says that the bad transaction changed the multisig wallet contract, which should not have been possible with Liminal’s interface.
The Central Bureau of Investigation (CBI) in India is a client of Liminal. The report says that the CBI might have thought twice about using Liminal to store assets if it knew about the security holes.
There are two possible ways that the hack happened , either Liminal’s infrastructure was broken into, allowing hacked user interfaces, or three different Cryptocurrency Exchange devices were taken over.
An attack on Liminal’s system rather than the Exchange’s devices is more likely to be what happened. WazirX’s hardware wallets failed to capture any new connection requests, and the ones that did come from an address that was on a whitelist. Furthermore, all signers saw the same information on the Liminal interface and got correct email alerts.
The Cryptocurrency Exchange thinks that the breach most likely started with Liminal’s infrastructure, but it is still waiting for the final forensic reports to be sure. The study also talks about the major effects on the crypto community, mainly the dangers of “blind signing” transactions from hardware wallets that have no destination addresses.
This problem has been brought up before, and the company that makes hardware wallets, Ledger, promised to stop blind signing by June 2024 in response to similar worries.
In a linked statement, Liminal’s July 19 report said that its server infrastructure was still safe and that the attack may have been caused by taking control of all three WazirX devices.