- Indian exchange WazirX has sparked a blame game with its custody partner Liminal after a $230 million hack
- WazirX noted that the hacked wallet was operated by Liminal, but Liminal has said WazirX set the wallet up
- A security expert has said that the hackers practiced onchain for eight days prior to the attack
Indian crypto exchange WazirX has sparked a blame game between itself and the company operating its custody services following a $230 million hack on one of its multi-signatory wallets. WazirX uses Liminal Custody services to look after its holdings, and the exchange noted in a lengthy X post in the wake of the hack that the wallet in question was operated by Liminal. Liminal, in return, has stated that the wallet in question was “created outside of the Liminal ecosystem,” shifting the blame back to WazirX.
Multi-sig Wallet Compromised
The trouble started when hackers, thought to be from the Lazarus group, compromised a multi-sig wallet within WazirX, which allowed them to steal $230 million in BTC, ETH, USDT, USDC and more. WazirX posted a post-mortem hours afterwards, breaking down the hack:
At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:
» Incident Overview: A cyber attack occurred in one of our multisig wallets…
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 18, 2024
The affected multisig wallet was set up to provide an extra layer of security for managing and executing transactions. This setup required multiple approvals to authorize any transaction, ensuring that no single person could unilaterally access or transfer the funds.
The wallet had six signatories involved in the approval process. Five of these signatories were from the WazirX team, and each used a Ledger Hardware Wallet, making it less susceptible to online attacks. The sixth signatory was from Liminal. For a transaction to be approved and executed, it needed at least three of the five WazirX signatories to provide their authorization using their Ledger Hardware Wallets.
Once these three approvals were secured, the transaction required final approval from the Liminal signatory. This final step by Liminal was crucial, as it acted as an additional checkpoint before any funds could be moved.
Information “Mismatch” Blamed
To further enhance security, a whitelisting policy was implemented. This policy ensured that transactions could only be sent to pre-approved addresses, which were set up and managed through Liminal’s interface. These whitelisted addresses were intended to add an extra layer of protection, ensuring that funds could only be transferred to trusted and verified destinations.
Despite these robust security measures, there was what WazirX termed “a mismatch between the information displayed on Liminal’s interface and what was actually signed.” This mismatch allowed the attackers to alter the transaction details and gain control of the wallet, leading to the breach.
WazirX noted pointedly that the affected wallet “was operated utilizing the services of Liminal’s digital asset custody and wallet infrastructure from February 2023,” which immediately put the pressure on Liminal to explain the mismatch. The company responded with its own smaller post-mortem, in which it put the blame back on WazirX:
Update: Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised. We can confirm that Liminal’s platform is not breached and Liminal’s infrastructure, wallets and assets…
— Liminal Custody🚀 (@liminalcustody) July 18, 2024
Liminal attested that its platform was not breached and that its “infrastructure, wallets and assets continue to remain safe,” before sticking the knife into its customer:
It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker’s addresses have occurred from outside of the Liminal platform.
This tit-for-tat blame game didn’t go down well with customers:
Hi guys that’s nice but I don’t give A FLYING FUCK abt your attempt to pass the buck here. Grow the fuck up.
Right now the only thing you need to be doing is ensuring that people—YOUR FUCKING CUSTOMERS AND THEIR FUCKING USERS—are secure and preventing further loss. NOW.
— Tay 💖 (@tayvano_) July 18, 2024
wow liminal putting blame on @WazirXIndia @NischalShetty and they putting blame on liminal lol
— penguinpecker🐧 (@penguinpecker1) July 18, 2024
Hackers “Practiced for 8 Days”
The hack itself has been described as “very methodical and organized” by Polygon Labs’ Chief Information Security Officer, Mudit Gupta, who said on X that the hackers practiced the raid onchain at least eight days beforehand.
Gupta added that the hackers “likely didn’t have access to all the required private keys and were dependent on signature phishing,” claiming that they “likely compromised 2 out 4 private keys directly and the remaining two were signature phished via a UI/Wallet compromise. My bet is on wallet compromise/custody provider compromise.”
WazirX has not commented on the impact of the hack to its operations, saying only that it will “overcome this challenge and emerge stronger and more resilient than ever.”
