WazirX Preliminary Investigation Finds No Evidence of Compromised Signer Machines in $235M Hack
A preliminary investigation into the July 18 hack of the $235 million WazirX cryptocurrency exchange found no evidence of compromise within its infrastructure.
The exchange suggests the breach likely originated from Liminal, their multi-party computation (MPC) wallet provider.
Both WazirX and Liminal have released conflicting reports, with each pointing to the other as the source of the hack.
WazirX Investigation: Liminal; A Potential Catastrophic Cause
A July 18 hack of the WazirX cryptocurrency exchange resulted in a loss of $235 million, spurring intense scrutiny and investigation.
In a preliminary report released on July 25, WazirX announced that their investigation found no evidence that their infrastructure’s signer machines were compromised.
Instead, they suggested that the breach might have originated from Liminal, their multi-party computation (MPC) wallet provider.
The WazirX team has been meticulously searching for signs of compromise within their system.
Despite thorough forensic analysis, they have been unable to find any evidence that their signers’ machines were infiltrated.
The investigation revealed that the hack’s transactions were processed through Liminal’s infrastructure, utilizing three WazirX signatures and one Liminal signature. Therefore, indicating a potential vulnerability in Liminal’s security protocols.
The report from WazirX highlights critical failures in Liminal’s security measures. The Liminal MPC wallet, which was supposed to prevent any withdrawals to non-whitelisted addresses, failed to do so.
Additionally, the malicious transaction included a contract upgrade that transferred control to the attacker, a process that Liminal’s interface is not supposed to allow.
According to WazirX, multiple pieces of evidence suggest that Liminal’s infrastructure was breached rather than their own.
No new connection requests were sent to WazirX’s hardware wallets; the requests originated from whitelisted addresses, and all signers saw the expected token names and destination addresses.
This strongly suggests that the Liminal interface displayed manipulated information, likely due to a breach in their system.
Liminal Denied Allegations Amid Reopening Plan
Liminal, however, has denied any breach of its infrastructure, maintaining that its platform remains secure and fully operational.
In a report released on July 19, Liminal suggested that the attack might have occurred by compromising all three WazirX devices, a claim WazirX’s investigation disputes.
Liminal’s stance has been that their servers were not breached and that all wallets, including those of WazirX, remain secure.
The incident highlights the significant security risks associated with “blind signing” token transactions from hardware wallets.
In this process, the transaction details, including the destination address, are not displayed on the wallet’s LED screen, forcing users to rely on a separate device or the custody provider’s interface for this information.
This practice is widely regarded as a security problem within the hardware wallet community, as it creates a theoretical risk that transaction information could be manipulated if the custody provider’s infrastructure is compromised.
This hack also has broader implications for the crypto community, particularly regarding relying on third-party infrastructure to secure digital assets.
WazirX pointed out that the Central Bureau of Investigation (CBI) and other organizations also use Liminal to store seized assets, raising concerns about the trustworthiness of such custodians if their security measures can be bypassed.
WazirX is continuing its comprehensive forensic analysis to uncover the full details of the cyber attack and plans to share conclusive evidence once the investigation is complete.
Meanwhile, WazirX co-founder Nischal Shetty has outlined steps to involve the community in deciding the platform’s reopening and recovery plans.
These steps include running a poll to help customers decide the approach to reopening the platform and exploring solutions to unlock tokens affected by the hack.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Hyperliquid net outflows top $250M amid fears over North Korea hackers
37% of UAE retail investors plan to increase crypto in 2025: eToro survey
December market correction drags down crypto ETPs by $17B
Aave mulls Chainlink integration to return MEV fees to users