Multi-party computation (MPC) wallet provider Liminal released a July 19 post-mortem report on the WazirX hack from the previous day, claiming that its UI was not responsible for the attack. According to the report, the hack occurred because three WazirX devices were compromised.Â
Liminal also claimed that its multi-signature wallet was set up to provide a fourth signature if WazirX provided the other three. This meant the attacker only needed to compromise three devices to perform the attack. The wallet was set up this way at the behest of WazirX, the wallet provider claimed.
In a July 18 social media post, WazirX claimed that its private keys were secured with hardware wallets. WazirX said the attack âstemmed from a discrepancy between the data displayed on Liminal's interface and the transaction's actual contents.â
According to the Liminal report, one of WazirXâs devices initiated a valid transaction involving the Gala Games (GALA) token. In response, Liminalâs server provided a âsafeTxHash,â verifying the transactionâs validity. However, the attacker then replaced this transaction hash with an invalid one, causing the transaction to fail.
In Liminalâs view, the fact that the attacker was able to change this hash implies that WazirXâs device had already been compromised before the transaction was attempted.
The attacker then initiated an additional two transactions; one GALA and one Tether (USDT) transfer. In each of these three transactions, the attacker used a different WazirX admin account, for a total of three accounts used. All three of the transactions failed.
After initiating these three failed transactions, the attacker extracted signatures from the transactions and used them to initiate a new, fourth transaction. The fourth transaction âwas crafted in such a way that the fields used to verify policies were using legit transaction detailsâ and âused the Nonce from the failed USDT transaction because that was the latest transaction.â
Because it used these âlegit transaction details,â the Liminal server approved the transaction and provided a fourth signature. As a result, the transaction was confirmed on the Ethereum network, resulting in a transfer of funds from the joint multisig wallet to the attackerâs Ethereum account.
Liminal denied that its servers caused incorrect information to be displayed through the Liminal UI. Instead, it claimed that the incorrect information was provided by the attacker, who had compromised WazirX computers. In an answer to the posed question, âHow did the UI show a different value from the actual payload within the transaction?â Liminal said:
âBased on our logs, given that three devices of the victimâs shared transactions sent out malicious payloads to Liminalâs server, we have reason to believe that the local machines were compromised giving the attacker complete access to modify the payloads and display misleading transaction details on the UI.â
Liminal also claimed that its servers were programmed to automatically provide a fourth signature if WazirX admins provided the other three. âLiminal only provides the final signature once the required number of valid signatures are received from the clientâs side,â it stated, adding that in this case âthe transaction was authorised and signed by three of our clientâs employees.â
The multisig wallet âwas deployed by WazirX as per their configuration well before onboarding with Liminal,â and was âimportedâ into Liminal âper WazirXâs request.â
Related: WazirX breach post-mortem: Dismantling the $230M attack
WazirXâs post claimed that it had implemented ârobust security features.â For example, it had required that all transactions be confirmed by four out of five keyholders. Four of these keys belonged to WazirX employees and one to the Liminal team. In addition, it required three of the WazirX keyholders to use hardware wallets. All destination addresses were required to be added to a whitelist ahead of time, WazirX stated, which was âearmarked and facilitated on the interface by Liminal.â
Despite taking all of these precautions, the attacker âappear[s] to have possibly breached such security features, and the theft occurred.â WazirX called the attack a âa force majeure event beyond [its] control.â Even so, it vowed that it was âleaving no stone unturned to locate and recover the funds.â
An estimated $235 million was lost in the WazirX attack. It was the largest centralized exchange hack since the DMM exploit of May 31, which resulted in even greater losses of $305 million.
Magazine: WazirX hackers prepped 8 days before attack, swindlers fake fiat for USDT: Asia Express