en
Back to the list

Liminal says infrastructure was not responsible for WazirX hack, blames compromised devices

source-logo  cryptoslate.com 19 July 2024 22:01, UTC

Multiparty computation (MPC) wallet provider Liminal said its infrastructure remains safe and was not compromised in the recent hack of India-based crypto exchange WazirX.

The firm made the statement in its post-mortem report on July 19. The report attributes the breach to compromised devices within WazirX’s network, clarifying that Liminal’s user interface (UI) was not responsible.

The exchange had earlier stated that the attack occurred due to a discrepancy between the data displayed on Liminal’s interface and the actual contents of the transactions. WazirX said its private keys were secured with hardware wallets.

Liminal’s post-mortem

According to Liminal, the July 18 breach, which resulted in an estimated $235 million loss, occurred because three of WazirX’s devices were compromised.

Liminal explained that its multi-signature wallet system was configured to provide a fourth signature if three valid signatures were received from WazirX. This setup allowed the attacker to exploit the compromised devices.

Liminal’s report detailed that the attack began when one of WazirX’s compromised devices initiated a legitimate transaction involving Gala Games tokens (GALA). Liminal’s server verified the transaction’s validity by issuing a “safeTxHash.” However, the attacker replaced this hash with an invalid one, causing the transaction to fail.

According to the firm:

“The fact that the attacker could alter the hash suggests that WazirX’s device was compromised before the transaction attempt.”

The report explained that the compromised devices at WazirX provided legitimate transaction details, which the attacker manipulated. In each of the three initial transactions, the attacker used different WazirX admin accounts, leading to transaction failures due to signature mismatches.

The attacker then extracted the signatures from these failed transactions to initiate a new, fourth transaction, which was crafted to appear legitimate to Liminal’s system.

Because this fourth transaction used valid details and the nonce from a previously failed transaction, it was approved by Liminal’s server, resulting in the transfer of funds from the multisig wallet to the attacker’s Ethereum account.

Refuting WazirX claims

Liminal refuted the exchange’s claims that its servers caused incorrect information to be displayed, asserting that the compromised WazirX devices sent malicious payloads. The firm said:

“Given that three devices of the victim’s shared transactions sent out malicious payloads to Liminal’s server, we have reason to believe that the local machines were compromised.”

The MPC provider highlighted that its system automatically provides the final signature once the required number of valid signatures is received from the client.

In this instance, the transaction was authorized by three WazirX employees. The multisig wallet, as per the exchange’s configuration, was deployed and imported into Liminal’s system at WazirX’s request.

However, the post-mortem report leaves some critical questions unanswered, including how the attacker initially gained access to the three WazirX devices. Liminal suggested that a sophisticated man-in-the-middle (MIM) attack or similar client-side compromise is likely responsible.

WazirX said in its post-mortem that despite the use of robust security measures — including hardware wallets and a whitelist for destination addresses — the attacker managed to breach these defenses in a “force majeure event.”

The exchange has yet to publicly address the Liminal’s findings and did not respond to a request for comment as of press time. WazirX’s last update on the matter stated that it has reached out to law enforcement and is pursuing “additional legal actions.”

It added that the immediate plan of action is to trace the stolen funds and conduct a “deeper analysis” of the breach in concert with forensic experts to recover the customer funds.

cryptoslate.com