One of India’s largest and most prominent crypto exchanges, WazirX, had experienced a damaging security breach back in July of this year. If you go and review some of WazirX’s online / social media activity even now, they don’t seem to have resolved this issue even at this point. Digital assets firm Coincover noted in a blog post that hackers were able to exploit vulnerabilities in the virtual currency exchange’s security systems. This reportedly allowed them to steal more than $230 million worth of crypto, representing more than 45% of their total reserves.
Coincover further noted in their analysis of the incident that two months after the hack, they used Tornado Cash, a privacy tool typically used by criminals to hide suspicious transactions to “launder most of the stolen funds.”
Coincover also mentioned in their latest analysis that the breach had started when the hackers exploited a vulnerability in one of WazirX’s multi-sig wallets.
Coincover further explained that the digital currency exchange’s wallets are managed via Liminal, a digital asset custody platform, using Gnosis Safe, which is said to be a “widely used” smart contract-based multi-sig wallet.
Coincover pointed out that despite using a multi-sig system with six different signatures, five from WazirX and one from Liminal, the attacker “manipulated and took control of the wallet’s data.”
Coincover also noted that initial investigations into the security breach identified that the transaction data and information “displayed on Liminal’s interface did not match up as they were supposed to.”
Coincover added that the discrepancy meant the attacker could bypass the exchange’s multi-sig setup and “seize control of the wallet even though there is an allowlist policy that is supposed to limit transactions to pre-approved addresses.”
Coincover further explained in its analysis that due to multi-sig wallets requiring several approvals for transactions, they’re often “known to provide strong security.”
Despite this, Coincover pointed out that even the most secure systems can be exposed to risks if “flaws or insufficient oversight exist.”
According to Coincover’s blog post, this hack has raised some “questions about the security of user’s assets on centralized exchanges.”
As stated in the update from Coincover, the stolen funds amounted “to $102 million in SHIB tokens, $52.6 million in Eth, $11 million in Matic, and $7.6 million in Pepe tokens.”
Blockchain analysis firms involved in the investigation found that “most stolen assets were converted into ETH.”
Having CoinCover integrated into WazirX’s security strategy could have added several “layers of protection to help mitigate the attack.”
CoinCover claims that it carries out “extensive due diligence” on any wallet service provider we support.
Coincover also shared that this involves setting up their own wallets on their platform, thoroughly reviewing security protocols, and “completing a risk review to ensure best practices.”
CoinCover’s client tech due diligence process includes a “detailed review of the transaction authorisation procedures. They claim that they would likely have identified the exploitable vulnerabilities in WazirX’s signing process and platform configuration, preventing the attacker from “exploiting those gaps.”
CoinCover’s AssetCOVER product provides per-transaction – limit rules, usually set lower than the large-scale transactions seen during this hack.
Their monitoring system flags this suspicious activity, triggering a ‘RED’ response code.
In this instance, a warning would have alerted WazirX to the issue, “allowing them to stop the transaction before the breach occurred.”
Coincover also stated in its detailed analysis that if WazirX were to have escalated the transaction for further review based on our RED alert, the attacker would have “needed to compromise both Liminal and CoinCover to move the funds successfully.”
Coincover pointed out that the security of an exchange’s assets is the key to “upholding a trusted reputation.”
Without additional security measures, exchanges like WazirX are “at risk of attacks.”
Coincover also noted that when they do happen, retrieving assets is “a slow and lengthy process, and funds aren’t guaranteed to be returned.”
Coincover explained that this can be costly for exchanges in monetary, operational and reputational terms, so “preventing these attacks is vital to an exchange’s efficiency and success.”