The WazirX breach exposed vulnerabilities in Multisig wallets despite strict security measures, with hackers exploiting data discrepancies.
WazirX, an Indian cryptocurrency exchange, suffered one of the year’s largest assaults, losing nearly $230 million from a multisig wallet. WazirX claimed an attack on one of its multisig wallets, which had been using Liminal’s digital asset custody and wallet infrastructure since February 2023. The wallet featured six signatures, one from Liminal and five from WazirX, which ensured safe transactions by requiring numerous approvals.
The wallet breach occurred as a result of differences between the data provided on Liminal’s interface and the actual transaction contents.
During the attack, the payload was altered, allowing the hacker to take control of the multisig wallet and steal the cash stored therein.
Despite the implementation of security precautions like the Gnosis Safe multisig smart contract platform and a whitelisting policy, the assault was able to overcome these safeguards. The Liminal Custody team confirmed that Liminal’s platform was not penetrated and that its funds, wallets, and infrastructure are safe.
“It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker’s addresses have occurred from outside of the Liminal platform,” stated Liminal in its recent post.
WazirX replied to the community on July 18 with an X post that detailed the incident and assured stakeholders that efforts to recover the stolen assets are ongoing. The Indian corporation defined the incident as “a force majeure event” and stated that, despite taking “all necessary steps to protect the customer assets,” the theft occurred.
Cheng mentioned WazirX’s potential to utilize a force majeure provision, which normally excuses a party from performing contractual commitments due to unforeseeable circumstances. “However, if it is found that the event is, in fact, foreseeable and could have been avoided or mitigated through reasonable measures, the clause cannot be invoked,” he added.
The cryptocurrency exchange is presently collaborating with cybersecurity specialists to find and retrieve the assets and has pledged to keep the community “posted with further updates.”
In the meantime, Joanna Cheng, Associate General Counsel at Fireblocks, discussed India’s legislative challenges for cryptocurrency, including the lack of defined requirements for security measures, risk management, and consumer protection.
“There is no crypto-specific regulation in India so far […] Regulatory intervention in this space would also mean that exchanges that service large numbers of retail customers are held accountable for their actions (or inaction).”
Due to the lack of a clear crypto regulatory framework, Indian Prime Minister Narendra Modi proposed a worldwide crypto framework at the G20 Summit in August 2023. Modi emphasized at the Summit that emerging technologies such as blockchain and cryptocurrencies have a global influence and called for a comprehensive worldwide framework for crypto regulation.