Overview
On July 18, 2024, WazirX, a prominent cryptocurrency exchange, confirmed a substantial security breach leading to the loss of approximately $235 million from a multisig wallet. The incident prompted the exchange to temporarily suspend withdrawals of Indian Rupees (INR) and cryptocurrencies, causing concern in the crypto community.
Attack Details Incident Overview
According to reports, the breach targeted a multisig wallet that required multiple private keys for transaction authorization. The compromised wallet, utilized since February 2023, relied on digital asset custody services provided by Liminal.
The breach resulted in a loss exceeding $230 million, prompting WazirX to take immediate action to secure the remaining assets.
Wallet Configuration and Breach Mechanics
The affected wallet involved six signatories, with five from the WazirX team and one from Liminal. Transactions typically needed approval from three WazirX signatories using Ledger Hardware Wallets for enhanced security, followed by final approval from Liminal’s representative.
Despite these security protocols, the breach occurred due to a discrepancy between the information displayed on Liminal’s interface and the transaction details. It seems the attackers manipulated the transaction payload to gain unauthorized control over the wallet.
WazirX acknowledged that the attack capitalized on a disparity between displayed data and signed information, likely altering the transaction payload to divert funds. Despite the presence of multisig wallets and whitelisting policies, the attackers breached these defenses.
Response and Recovery Efforts
In response to the breach, WazirX filed a police complaint and initiated legal proceedings. They reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. WazirX also contacted over 500 exchanges to block identified addresses and collaborate on fund recovery.
The exchange is collaborating with forensic experts and law enforcement agencies to trace the stolen funds and recover customer assets. Additionally, they are investigating the breach comprehensively to prevent future security lapses.
WazirX assured its users of their commitment to resolving the situation and undertaking all necessary measures to address the breach.
Insights from Experts
Mudit Gupta, Chief Information Security Officer at Polygon Labs, suggested that the hackers had prepared for the attack over a week. Gupta explained how the attackers upgraded the multisig to a malicious version, facilitating the draining of the wallet.
Blockchain analysts suspect that the Lazarus Group, a well-known North Korean hacking collective, may be responsible for the breach.
