TLDR
- On July 18, 2024, WazirX, a prominent crypto exchange in India, experienced a staggering hack totaling $235 million.
- After conducting their investigation, WazirX did not find any signs that their own systems had been compromised.
- The exchange points fingers at their multi-party computation wallet provider, Liminal, hinting that this is where the breach might have started.
- Liminal disputes these claims, asserting their infrastructure wasn't breached and implying that the attack could have originated from vulnerabilities in WazirX devices.
- This incident underscores the security risks involved with 'blind signing' transactions on hardware wallets.
A highly orchestrated cyberattack hit WazirX, a key player in India's crypto scene, leading to a $235 million loss.
The event has sparked an intense debate between WazirX and Liminal, its MPC wallet provider, regarding who is at fault for the security lapse.
In their initial findings released on July 25, WazirX indicated there's no proof of their infrastructure being on the receiving end of a hack. Given the recent cyber intrusion, WazirX emphasizes that there's no evidence pointing to a compromise on their signer machines, leaving open other potential entry points for the breach.
For further details, you can delve deeper into this subject in our blog 👇
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) https://t.co/UQD7LVUy0v
Instead of shouldering any guilt, WazirX suggests that the root of the issue lies with Liminal. They claim the illegitimate transactions occurred via Liminal, utilizing a combination of signatures from both entities. July 25, 2024
WazirX has been critical of Liminal's security protocols, especially highlighting instances where the MPC wallet failed to restrict withdrawals to verified addresses during the attack.
Furthermore, the rogue transaction involved an unauthorized contract upgrade that transferred control to the hacker, an action supposedly not feasible through Liminal’s setup.
WazirX’s analysis showed that no new requests reached their hardware wallets, insisting that every call originated from already approved addresses, suggesting a crack in Liminal’s defenses rather than their own.
Yet, Liminal has counteracted these claims steadfastly. In their statement, they affirmed their infrastructure's robustness.
Amid the unfolding drama, Liminal clarified that its operations remain unaffected and secure, catering fully to all clients including WazirX. report released on July 19 Sticking to their security protocols, Liminal conducted a thorough forensic investigation of their systems.
— Liminal Custody🚀 (@liminalcustody)
They hypothesize that the exploit might have involved compromising every WazirX-associated device, a theory contested by WazirX’s findings.
The fiasco has emphasized the dangers linked to 'blind signing' in the hardware wallet domain, where users approve transactions without seeing the actual details on the device's screen, a topic of concern among hardware wallet users. July 19, 2024
Concerns over the robustness of third-party crypto-security infrastructures have been amplified by this breach, as WazirX questions the dependability of such custodians, noting some also safeguard seized assets for organizations like the CBI.
As investigations press on, WazirX has paused its services, working on a blueprint to resume them. Co-founder Nischal Shetty lays out plans to involve the community in discussions about the platform’s future reopening strategies.
Steps to course-correct include a customer-driven poll and exploring methods to recover tokens affected by the intrusion.
Editor-in-Chief of Blockonomi and founder of Kooc Media, a UK-Based online media company, is an advocate for open-source initiatives, blockchain innovations, and an unfettered internet for all.
His published works have seen quotations in top-tier publications such as Nasdaq, Dow Jones, The New Yorker, and more. Reach out at [email protected]
