🚨 Who Should Be Blamed For WazirX Hack
On July 18, 2024, WazirX, an Indian exchange, suffered a hack resulting in the loss of over $230 million of client assets. This incident has brought to light various issues following an investigation by a pseudonymous blockchain analyst, Boring Sleuth, who uncovered flawed security measures and deceptive practices by WazirX.
#### Misleading Multi-Sig Security Claims
WazirX asserted that transactions in their multi-sig wallet required three signatures from WazirX executives and final approval from Liminal. However, it was found that four out of six approved addresses were needed for a transaction, indicating either misinformation or a lack of understanding of their own security protocols.
#### Compromised Multi-Sig Setup
Further investigation revealed that four out of the five multi-sig addresses were set up and funded by a single entity. This centralization contradicted the multi-sig goal of decentralizing control, thereby increasing vulnerability.
#### Binance Connection
Historical on-chain data showed that WazirX’s main exchange address was previously linked to Binance, raising questions about its legitimacy and affiliation with Binance.
#### Ignored Warnings
On July 6, twelve days before the hack, Boring Sleuth highlighted vulnerabilities in similar multi-sig setups in various Layer 2 solutions, including WazirX. Despite the warnings, no action was taken to address these issues.
#### Deflecting Blame
WazirX attempted to place the blame on Liminal, which managed only one of the six signatures, while the remaining five were controlled by WazirX. This deflection appeared unconvincing and further eroded trust in the exchange.
The investigation by Boring Sleuth has revealed numerous security vulnerabilities and a potential for dishonesty at WazirX. It is now the exchange’s responsibility to address these issues, restore user confidence, and ensure the safe return of funds.