A preliminary investigation of the July 18 WazirX cryptocurrency exchange hack did not find “any evidence that WazirX signers’ machines were compromised,” according to a July 25 report from the exchange’s team. The post suggested that a breach in the system of multi-party computation (MPC) wallet provider Liminal may have been the cause of the $235 million exploit.
Liminal previously released a report suggesting that compromised WazirX machines were the cause of the exploit.
“Our preliminary findings have not found any evidence that WazirX signers’ machines were compromised,” the July 25 WazirX report states. The team is conducting a “thorough forensic analysis to uncover the full details of the cyber attack” and will share “conclusive evidence” of what happened once this analysis is complete.
According to WazirX, despite searching for evidence that their own devices were compromised, the team’s investigators “have been unable to find any evidence that WazirX signers’ machines were compromised.” Instead, they found that the attack “involved the flow of transactions through Liminal infrastructure, as evidenced by the use of 3 WazirX signatures and 1 Liminal signature.”
The Liminal MPC wallet was supposed to prevent any withdrawals from being sent to non-whitelisted addresses. But it failed to do so, WazirX claimed.
In addition, the malicious transaction “upgraded the [multisig wallet] contract to transfer the control to the attacker,” which Liminal’s interface is not supposed to allow.
The report claims that India’s Central Bureau of Investigation (CBI) is a client of Liminal, as it uses the service to store assets seized during investigations. It suggests that the agency may not have used Liminal as a trusted custodian if it had known the wallet contract could be upgraded through Liminal’s interface.
“We have representations from Liminal that their interface does not allow initiating contract upgrade from its interface. It is pertinent to state here that the Central Bureau of Investigation (CBI), India’s premier investigative agency, has entrusted Liminal Custody Solutions with the secured non-custodial storage of digital assets seized during investigations which may also be based upon such representations by Liminal.”
The report hypothesizes that there are only two different ways the hack could have occurred. First, Liminal’s infrastructure could have been breached, causing its user interface (UX) to display false information when viewed by WazirX employees. Second, three separate WazirX devices could have been compromised, causing local copies of the UI to display false information.
However, multiple pieces of evidence suggest that Liminal’s infrastructure was breached, not WazirX’s, the report argues. First, there was no new connection request sent to Wazirx’s hardware wallets. Second, the request came from a whitelisted address, and third, all of the signers “saw the expected token name (USDT and GALA) and destination address on the Liminal interface as well as received email notifications.”
WazirX claims that these pieces of evidence provide strong evidence that a Liminal breach was the cause of the attack. Even so, they “await conclusive forensic results before making a final determination.”
The report also seeks to draw attention to the hack’s wider implications for the crypto community. One major cause of the hack was the necessary practice of “blind signing” token transactions from hardware wallets. Because token transactions do not show a destination address on the wallet’s LED screen, the user cannot definitively know where they are sending their tokens. Instead, they must rely on a separate device or custody provider’s interface to give them this information.
“If a custody provider’s infrastructure is compromised, there’s a theoretical risk that displayed transaction information could be manipulated, even with robust security measures in place,” the report stated.
In Liminal’s July 19 report on the attack, it claimed that its server infrastructure “is not breached and all wallets on Liminal’s infrastructure, including WazirX’s other Gnosis SAFE wallets deployed entirely from within Liminal’s platform continue to remain safe & secure.” It suggested that the attack may have been caused by an attacker gaining control of all three of the WazirX devices.
Related: Liminal blames compromised WazirX devices for hack
The practice of “blind signing” is widely regarded as a security problem within the hardware wallet community. In December, hardware wallet manufacturer Ledger promised to reimburse users after more than $600,000 of assets were stolen from them through blind signing exploits. Ledger promised to disable the ability to blind sign after June, 2024. In its report, WazirX did not state what brand of hardware wallets were used by their employees.
Magazine: Crypto-Sec: Evolve Bank suffers data breach, Turbo Toad enthusiast loses $3.6K