WazirX hacked but Liminal is to blame?

On 18 July 2024, WazirX multisig wallet was compromised and cryptocurrencies worth around $230 million (~₹2,000 crore) were stolen.

How could that happen? The short answer is it happened because both WazirX and their custody service provider Liminal, messed up. Let’s dive into it, starting with how the wallet was setup.

The wallet

The exploited wallet was a 4/6 multisig. This means that at least 4 out of the 6 signers had to approve all transaction. Five of the six signers were from WazirX, and the sixth was from Liminal. To execute a transaction, 3 WazirX signers first approve it. Then, Liminal checks if the transaction meets WazirX’s policies before giving the final approval and executing the transaction.

The hack

The attackers managed to upgrade the multisig (multi-signature) wallet to a malicious version, allowing them to steal all the funds. This upgrade required signatures from three WazirX signers and one Liminal signer. Interestingly, instead of directly transferring the funds using the compromised signers, they upgraded the wallet to a version that no longer required WazirX or Liminal signatures. This suggests that the attackers didn’t have access to all the private keys. If they had, they would have simply transferred the funds directly, likely choosing a time when the signers were inactive rather than during active operations as they actually did.

There are several theories about why WazirX and Liminal signed off on the malicious transactions. Here are the most likely scenarios based on my opinion, though they should be taken with caution until WazirX and Liminal complete their investigations.

Liminal’s Role

The Liminal signer is only supposed to sign transactions that pass through its firewall and whitelist set by WazirX. However, since the malicious transaction was signed by Liminal, it must have passed through these safeguards. This suggests either a misconfiguration or a bug in the firewall/whitelist, allowing the malicious transaction to slip through. Once three WazirX signers signed the malicious transaction, Liminal followed suit because its firewall didn’t detect the malicious transaction.

WazirX Signers and Phishing

The leading theory is that the WazirX signers were phished for signatures. They intended to sign a regular operational transaction, but the UI showed innocent transaction details while sending malicious data to their hardware devices for signing. Why did this happen? Two possible reasons:

  1. The laptops used by the WazirX signers were compromised.
  2. The UI provided by Liminal was compromised.

Both WazirX and Liminal claim they weren’t compromised, but clearly, at least one of them was.

It is worth noting that WazirX infrastructure including their website, hot wallets, and databases were not impacted in this Hack. Only the multisig was impacted. If we believe the theory that the hackers compromised three of the WazirX laptops, then it becomes hard to believe that they couldn’t breach their infrastructure.

The hackers

The hackers conducted a dry run of their attack on fresh contracts they deployed 8 days before executing it on WazirX contracts. Although the initial dry run had nothing to do with WazirX, it shows that the hackers had planned the attack thoroughly. They began stealing funds immediately after upgrading the multisig to a malicious implementation. Once the funds were stolen, the hackers started laundering them soon after. They converted most crypto assets into Ether using various DEX and DEX aggregators. Interestingly, the hackers used a lot of user interfaces for their swapping instead of just scripts, leaving small breadcrumbs of information along the way.

The hacker’s accounts were initially funded by Tornado Cash, but they didn’t use Tornado Cash to its full extent. They were deanonymized by ZachXBT using timing analysis, which traced the source of funds back to an unknown Bitcoin service.

The hackers are active only during a certain time window and go completely dark outside of that period. The time window lines up with day time in North Korea. Furthermore, they have not even attempted to contact WazirX about the hack.

Considering all these details, it is very likely that the hackers belong to the Lazarus Group from North Korea.

The blame game

What follows are my personal spicy opinions, so please take them with a grain of salt.

Soon after the hack, both WazirX and Liminal started blaming each other. It’s disappointing to see such accusations flying when both parties were partially at fault. They should have resolved these issues privately and presented a united front to the public. The blame game is damaging both of their reputations.

Both companies have bent the truth in their public statements to shift blame onto the other party. However, I must admit that WazirX was relatively more professional and handled public communication better. WazirX tried to state only the facts and do a thorough investigation before making public statements but the pressure built by the public and accusations from Liminal made them respond aggressively as well.

Hours after the hack, Liminal tweeted that “all the malicious transactions to the attacker’s addresses have occurred from outside of the Liminal platform.” This statement is misleading because the malicious upgrade transaction was signed and executed by their signer. The transaction bypassed their firewall, undermining the whole purpose of their product.

Liminal (falsely) claiming that the malicious transactions occurred outside their platform.

Liminal’s further public statements are also self-contradictory. For example, they claim that for the first two malicious signatures, Liminal rejected them on the backend and made users sign again because the signatures included malicious payloads. That’s good. However, why did Liminal accept the third malicious signature and let the bad USDT transaction go public? What was different between this third signature and the first two? You can derive a lot of theories from this. Perhaps the third signer was compromised differently from the first two?

WazirX made significant mistakes by not having proper security measures and a secure custody setup in the first place. They put too much trust in Liminal and did not conduct their own checks. In a future blog post, I will discuss how to manage multisigs properly. At Polygon Labs, we have stricter security policies even for multisigs handling five thousand dollars, let alone a quarter of a billion dollars. My best advice to WazirX is to immediately hire a dedicated senior blockchain security engineer.

The conclusion

Innocent users of WazirX got crushed by the hack

Innocent users have lost money while both WazirX and Liminal are having a public spat. Both of them are at fault partially and should own up to their mistakes rather than fighting in the public, trying to defend themselves with false claims.

It’s ironic that both WazirX and Liminal are blaming each other, and the public is joining in, instead of focusing on the real culprits—the hackers who stole the funds. Both WazirX and Liminal are victims in this hack. The primary focus should be on preventing further damage and ensuring the hackers are brought to justice, rather than pointing fingers at one another.

WazirX is currently working on a plan to help the users and restore the platform and I’m hoping they’ll make a full recovery but it’ll take time.

1 thought on “WazirX hacked but Liminal is to blame?”

Leave a Comment

Your email address will not be published. Required fields are marked *