Rob Behnke
July 23rd, 2024
In July 2024, Indian crypto exchange WazirX experienced a cyberattack in which attackers compromised one of the exchange’s wallets. Nearly $235 million was stolen in this breach.
On the surface, the WazirX hack might look like a classic CEX hack. Many of these have occurred in recent months, and they generally involved a hot wallet that failed to implement wallet security best practices.
However, according to WazirX, the company went above and beyond common security practices. These included:
Multisig wallet: The compromised Ethereum wallet was a Gnosis Safe multisig wallet using a 4 of 6 signature scheme. Five of these keys were held by WazirX, while the sixth was controlled by Liminal’s digital asset custody and wallet infrastructure service. The malicious transaction was signed using three WazirX keys and the Liminal key.
Address Whitelisting: The multisig wallet was configured with a whitelist in the Liminal interface. The WazirX team could initiate transactions to these addresses.
Hardware wallets: The WazirX signing keys were stored on Ledger Hardware wallets. This makes it more difficult for an attacker to steal a key than if it were stored in a software wallet or other less secure storage solution.
All of these factors would make an attack much more difficult to carry out. The attacker would need to trick four signers from two organizations to approve the transaction and bypass the whitelist to send the crypto to an attacker-controlled address.
The attack began with the attacker changing WazirX’s multisig wallet to a malicious smart contract deployed by the attacker eight days earlier. By doing so, they bypassed the multisig and the whitelist, allowing them to send the transaction wherever they wanted.
However, this switch required the approval of three WazirX accounts and the Liminal signer. The attacker allegedly accomplished this by taking advantage of discrepancies between how a transaction appeared in the Liminal interface and the actual transaction data. This discrepancy allowed the attacker to submit a transaction that appeared benign — causing the four parties to sign it — while including the malicious payload.
The WazirX hack demonstrates the complexity of securing Web3 projects against attack. On paper, WazirX’s security strategy checked all of the boxes, going above and beyond what many exchanges implement. However, they were still the victim of a massive nearly $235 million hack.
This incident demonstrates the importance of holistic security audits, extensively testing every aspect of a security program rather than relying on multisig and hardware wallets to work. To learn more about protecting your project, get in touch with Halborn.