WazirX Preliminary Investigation Finds No Evidence of Compromised Signer Machines in $235M Hack

A preliminary investigation into the July 18 hack of the $235 million WazirX cryptocurrency exchange found no evidence of compromise within its infrastructure.

The exchange suggests the breach likely originated from Liminal, their multi-party computation (MPC) wallet provider.

Both WazirX and Liminal have released conflicting reports, with each pointing to the other as the source of the hack.

WazirX Investigation: Liminal; A Potential Catastrophic Cause


A July 18 hack of the WazirX cryptocurrency exchange resulted in a loss of $235 million, spurring intense scrutiny and investigation.

In light of the recent cyber attack on WazirX, our preliminary investigation reveals no evidence of compromise on our signers' machines. We are continuing to explore all possible sources of the breach.

For more details, please read this blog 👇https://t.co/UQD7LVUy0v

— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 25, 2024

In a preliminary report released on July 25, WazirX announced that their investigation found no evidence that their infrastructure’s signer machines were compromised.

Instead, they suggested that the breach might have originated from Liminal, their multi-party computation (MPC) wallet provider.

The WazirX team has been meticulously searching for signs of compromise within their system.

Despite thorough forensic analysis, they have been unable to find any evidence that their signers’ machines were infiltrated.

The investigation revealed that the hack’s transactions were processed through Liminal’s infrastructure, utilizing three WazirX signatures and one Liminal signature. Therefore, indicating a potential vulnerability in Liminal’s security protocols.

The report from WazirX highlights critical failures in Liminal’s security measures. The Liminal MPC wallet, which was supposed to prevent any withdrawals to non-whitelisted addresses, failed to do so.

Additionally, the malicious transaction included a contract upgrade that transferred control to the attacker, a process that Liminal’s interface is not supposed to allow.

According to WazirX, multiple pieces of evidence suggest that Liminal’s infrastructure was breached rather than their own.

No new connection requests were sent to WazirX’s hardware wallets; the requests originated from whitelisted addresses, and all signers saw the expected token names and destination addresses.

This strongly suggests that the Liminal interface displayed manipulated information, likely due to a breach in their system.

Liminal Denied Allegations Amid Reopening Plan

In light of recent events, we want to clarify that Liminal's platform was not breached. Our platform continues to remain secure and fully operational for all our clients, including WazirX.

As part of our security process, we've conducted a comprehensive forensic analysis. Our…

— Liminal Custody🚀 (@liminalcustody) July 19, 2024

Liminal, however, has denied any breach of its infrastructure, maintaining that its platform remains secure and fully operational.

In a report released on July 19, Liminal suggested that the attack might have occurred by compromising all three WazirX devices, a claim WazirX’s investigation disputes.

Liminal’s stance has been that their servers were not breached and that all wallets, including those of WazirX, remain secure.

The incident highlights the significant security risks associated with “blind signing” token transactions from hardware wallets.

In this process, the transaction details, including the destination address, are not displayed on the wallet’s LED screen, forcing users to rely on a separate device or the custody provider’s interface for this information.

This practice is widely regarded as a security problem within the hardware wallet community, as it creates a theoretical risk that transaction information could be manipulated if the custody provider’s infrastructure is compromised.

This hack also has broader implications for the crypto community, particularly regarding relying on third-party infrastructure to secure digital assets.

WazirX pointed out that the Central Bureau of Investigation (CBI) and other organizations also use Liminal to store seized assets, raising concerns about the trustworthiness of such custodians if their security measures can be bypassed.

WazirX is continuing its comprehensive forensic analysis to uncover the full details of the cyber attack and plans to share conclusive evidence once the investigation is complete.

Meanwhile, WazirX co-founder Nischal Shetty has outlined steps to involve the community in deciding the platform’s reopening and recovery plans.

We’re working on the poll implementation. Trying to get it done and reviewed today and go live today or tomorrow.

We’re also checking with legal on what the duration should be and the date when we can open the platform if the poll results are positive.

While the objective is to…

— Nischal (Shardeum) 🔼 (@NischalShetty) July 25, 2024

These steps include running a poll to help customers decide the approach to reopening the platform and exploring solutions to unlock tokens affected by the hack.

Leave a Reply

Your email address will not be published. Required fields are marked *