WazirX, one of the few Financial Intelligence Unit (FIU)-registered crypto exchanges in India, suffered a $230 million security breach on July 18, 2024. The crypto exchange confirmed the breach in a post on X (formerly Twitter) nearly 24 hours ago. Upon detecting malicious activity in its multisignature wallets, WazirX temporarily suspended withdrawals. Multisig or multisignature wallets require multiple private keys to authenticate and enable transfers before they are processed. These wallets are bound by smart contracts that determine specific access rules for accessing them.
📢 Update: We’re aware that one of our multisig wallets has experienced a security breach. Our team is actively investigating the incident. To ensure the safety of your assets, INR and crypto withdrawals will be temporarily paused. Thank you for your patience and understanding.…
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 18, 2024
Preliminary investigations revealed two more compromised smart contracts, aside from those that accounted for the $230 million breach. WazirX informed traders that “for the time being, we have opened up a secluded website to revoke all approvals. Your funds are at risk until you revoke,” on a post on X. This morning, the Indian crypto exchange posted a detailed timeline of events in the last 24 hours. According to the post, the suspended accounts utilized Liminal’s digital asset custody and wallet infrastructure as of February 2023. Each wallet was protected by six signatories: five from the WazirX team and one from Liminal, who collectively monitored transaction verifications.
“A transaction typically requires approval from three of the WazirX signatories (all three of whom use Ledger Hardware Wallets for security), followed by the final approval from Liminal’s signatory. A policy to whitelist destination addresses was also in place to enhance security. These whitelisted addresses were earmarked and facilitated on the interface by Liminal; consequently, the WazirX team had the ability to initiate transactions to the said whitelisted addresses,” as explained in the same post.
The cause of most crypto phishing attacks remain unknown; however, tampered infrastructure often provides insights into the modus operandi of the theft. WazirX suspects a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents. As the data on Liminal’s interface and record of actual signatures failed to align, WazirX suspects “displayed on Liminal’s interface and the transaction’s actual contents.”
Most crypto wallets are protected using a multi-dimensional approach. In the case of WazirX, the Gnosis Safe multisig smart contract platform and Liminal’s whitelisting policy were compromised during the security breach.
