[Update] WazirX’s Crypto Heist: Probe Finds Attack Originated From Liminal’s Infrastructure

Update | July 27, 1:02 PM

A day after Inc42 reported that WazirX’s preliminary investigation found that the cyber attack on the cryptocurrency exchange likely originated from Liminal’s infrastructure, the latter dismissed the findings saying that the “incident originated from an external source”.

“On July 19, 2024, we were notified of a security incident affecting a self-custody multi-signature smart contract wallet used by one of our customers, WazirX. This wallet was reported to be compromised on July 18. Our initial assessment indicates that Liminal’s platform, infrastructure, wallets, and assets remain secure. We reiterate that our platform continues to operate seamlessly, processing transfers and withdrawals for all our customers,” a Liminal spokesperson said in a statement.

“To uphold highest standards of transparency, Liminal has proactively engaged independent CERT certified, third-party experts to conduct thorough forensic audits backed by published reports. As a wallet infrastructure support platform, we emphasise that this incident originated from an external source, underscoring the crucial need for comprehensive security measures across platforms,” the spokesperson added.

Original Story| July 26, 11:48 AM

Days after WazirX experienced a major security breach, resulting in withdrawals of around $234.9 Mn during the early European hours, the cryptocurrency exchange has launched a preliminary investigation in connection with the cyber attack.

Following this, the company also announced a prize of $23 Mn as a part of its bounty programme to recover the $230 Mn assets stolen during the attack.

According to its preliminary findings, the attack likely originated from Liminal’s infrastructure, bypassing their final verification step, as evidenced by the use of 3 WazirX signatures and 1 Liminal signature. 

Liminal is a digital asset management platform that helps secure and manage cryptocurrency transactions through a structured and secure process. It is specifically designed to handle high-value transactions and prevent unauthorised or malicious transfers. 

As per the company, the attack involved a contract upgrade that Liminal’s interface reportedly does not permit. 

“We have representations from Liminal that their interface does not allow initiating contract upgrade from its interface,” the company said in a statement.

However, it shared that none of its signers’ machines were compromised.

The findings further revealed that the malicious transaction was not sent to any of the whitelisted destination addresses, which should have been blocked by Liminal’s firewall and whitelist policy.

“Contrary to some reports by self-proclaimed crypto experts on social media, WazirX did not sign any malicious transactions 8 days before the attack. The attacker had created smart contracts on July 10, 2024, but these had no interaction with the WazirX wallet until July 18, 2024,” the company said in a blog post.

WazirX’s security breach impacted one of its wallets Safe Multisig on the Ethereum network, resulting in the loss of user funds.

Founded in 2017, WazirX is a bitcoin and cryptocurrency exchange where you can buy, sell, and trade digital assets, catering to both first-time investors and professional traders alike.

Based on its preliminary analysis, the company has outlined two potential scenarios that may have occurred. Scenario 1 suggests that the malicious transactions were directly received by the WazirX signers from Liminal due to a possible breach of Liminal’s infrastructure. 

Scenario 2 proposes that malware compromised all three WazirX signers’ devices. Although there is no preliminary evidence of malware, WazirX has initiated a forensic investigation. 

Given the current findings, WazirX believes Scenario 1 is more likely but awaits further forensic results before confirming. 

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.