There was no evidence of compromise within the infrastructure during a preliminary investigation into the $235 million WazirX cryptocurrency exchange breach on July 18.
The exchange implies that the intrusion was likely the result of Liminal, their multi-party computation (MPC) wallet provider.
WazirX and Liminal have issued conflicting reports, each implicating the other as the perpetrator of the breach.
WazirX Investigation: Liminal; A Potential Catastrophic Cause
The WazirX cryptocurrency exchange was the subject of a $235 million loss due to a breach on July 18, prompting a thorough investigation and scrutiny.
WazirX disclosed in a preliminary report issued on July 25 that their investigation did not uncover any indications that their infrastructure’s signer devices had been compromised.
Instead, they proposed that the intrusion may have resulted from Liminal, their multi-party computation (MPC) wallet provider.
The WazirX team has been conducting an exhaustive investigation to identify any indications of compromise within their system.
Despite conducting a comprehensive forensic analysis, they have been unable to locate evidence that their signers’ devices were infiltrated.
The investigation demonstrated that the transactions associated with the breach were processed through Liminal’s infrastructure, which employed three WazirX signatures and one Liminal signature. Consequently, this suggests a potential vulnerability in Liminal’s security protocols.
The report from WazirX emphasizes Liminal’s security measures’ critical deficiencies. The Liminal MPC wallet, intended to prevent withdrawals to non-whitelisted addresses, could not do so.
Furthermore, the malicious transaction contained a contract upgrade that transferred control to the attacker, a procedure Liminal’s interface did not intend to permit.
Multiple pieces of evidence, as per WazirX, indicate that Liminal’s infrastructure was penetrated rather than their own.
WazirX’s hardware wallets did not receive any new connection requests; the requests were sent from allowed addresses, and all signers could view the anticipated token identities and destination addresses.
This strongly implies that the Liminal interface displayed manipulated information, likely due to a systemic breach.
Liminal Denies Allegations in the Context of Reopening Plan
Liminal has, however, denied any breach of its infrastructure, asserting that its platform is entirely operational and secure.
Liminal suggested in a report published on July 19 that the assault could have resulted from the compromise of all three WazirX devices. WazirX’s investigation refutes this assertion.
Liminal has maintained that their servers were not compromised and that all wallets, including those of WazirX, are secure.
The incident underscores the substantial security risks of “blind signing” token transactions from hardware wallets.
During this process, the wallet’s LED screen does not display the transaction details, including the destination address, necessitating that users consult a separate device or the custody provider’s interface to obtain this information.
This procedure is generally considered a security issue within the hardware wallet community, as it poses a theoretical risk that transaction information could be manipulated if the custody provider’s infrastructure is vulnerable.
This breach also has broader implications for the crypto community, particularly in terms of the reliance on third-party infrastructure to secure digital assets.
The Central Bureau of Investigation (CBI) and other organizations also use Liminal to store seized assets, which raises questions about the reliability of these custodians if their security measures are vulnerable, as WazirX pointed out.
WazirX is conducting a thorough forensic analysis to ascertain the full extent of the cyber attack and intends to disclose conclusive evidence upon the conclusion of the investigation.
In the interim, Nischal Shetty, the co-founder of WazirX, has delineated the procedures for involving the community in the decision-making process regarding the platform’s reopening and recovery plans.
These steps involve conducting a poll to assist customers in determining the best course of action for reopening the platform and investigating potential solutions to unlock tokens that the breach has impacted.