MPC wallet provider Liminal recently stated that its infrastructure was not compromised during the hack of India-based crypto exchange WazirX. The firm released a detailed post-mortem report on July 19, attributing the breach to compromised devices within WazirX’s network. Liminal clarified in the report that its user interface (UI) was not responsible for the attack.
According to Liminal’s report, the $235 million loss occurred because three of WazirX’s devices were compromised. The firm’s multi-signature wallet system was set up to provide a fourth signature if three valid signatures were received from WazirX. This configuration allowed the attacker to exploit the compromised devices.
The attack began when one of WazirX’s compromised devices initiated a legitimate transaction involving Gala Games tokens (GALA). Liminal’s server issued a “safeTxHash” to verify the transaction’s validity. However, the attacker replaced this hash with an invalid one, causing the transaction to fail. This suggests that WazirX’s device was compromised before the transaction attempt.
The compromised devices at WazirX provided legitimate transaction details that the attacker manipulated. The attacker used different WazirX admin accounts in three initial transactions, leading to signature mismatches and transaction failures. The attacker then extracted signatures from these failed transactions to initiate a new, fourth transaction that appeared legitimate to Liminal’s system.
Liminal refuted WazirX’s claims that its servers caused incorrect information to be displayed, stating that the compromised devices sent malicious payloads. The firm’s system automatically provides the final signature once the required number of valid signatures is received from the client. The multisig wallet was deployed and imported into Liminal’s system at WazirX’s request.
Despite the detailed post-mortem report, critical questions remain unanswered, including how the attacker gained initial access to the three WazirX devices. Liminal suggested that a sophisticated man-in-the-middle (MIM) attack or similar client-side compromise may be responsible. WazirX stated that it has reached out to law enforcement and is pursuing additional legal actions to trace the stolen funds and conduct a deeper analysis of the breach with forensic experts to recover customer funds.