According to ChainCatcher, Beosin Alert monitoring and warning discovered that the Indian exchange wazirx was attacked. The attacker obtained the signature data of the exchange's multi-signature wallet administrator, modified the wallet's logical contract, and made the wallet execute incorrect logic to steal assets.

Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066
Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4

Based on the attacker’s attack behavior, it is speculated that the cause is the leakage of the administrator’s private key of the multi-signature wallet. Beosin briefly analyzes the cause of the attack as follows:

1. The attacker deploys the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified in this contract.
2. The attacker obtains the signature data of the administrator of the wazirx multi-signature wallet and modifies the logical contract of the wallet to the deployed attack contract. The corresponding transaction is:
https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d
3. The attacker submits a token withdrawal transaction to the wazirx multi-signature wallet. Due to the proxy mode mechanism, the wallet contract will use delegatecall to call the relevant functions of the attack contract and transfer the wallet tokens.

Flow chart of the stolen funds. At present, the hacker has transferred part of the funds to Changenow and Binance exchanges.