Liminal Blames WazirX for July Hack, Says Its UI Was Not Responsible-web3.0-php.cn

Liminal Blames WazirX for July Hack, Says Its UI Was Not Responsible

Jul 20, 2024 am 11:14 AM

Multiparty computation (MPC) wallet provider Liminal released a July 19 post-mortem report on the July 18 WazirX hack, claiming that its user interface

Liminal Blames WazirX for July Hack, Says Its UI Was Not Responsible

Multiparty computation (MPC) technology provider Liminal has released a July 19 post-mortem report on the July 18 WazirX hack, disputing the exchange’s claim that its user interface was responsible for the attack.

According to Liminal's report, the hack occurred because three WazirX devices were compromised. The devices were used to initiate transactions that were then modified by the attacker before being sent to Liminal's servers for approval.

Liminal also claimed that its multisignature wallet was set up to provide a fourth signature if WazirX provided the other three. This meant that the attacker only needed to compromise three devices to perform the attack. The wallet was set up this way at the behest of WazirX, the wallet provider claimed.

In a July 18 social media post, WazirX claimed that its private keys were secured with hardware wallets. However, WazirX said the attack “stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents.”

According to the Liminal report, one of WazirX’s devices initiated a valid transaction involving the Gala Games (GALA) token. In response, Liminal’s server provided a “safeTxHash,” verifying the transaction's validity. However, the attacker then replaced this transaction hash with an invalid one, causing the transaction to fail.

In Liminal’s view, the fact that the attacker was able to change this hash implies that the WazirX device had already been compromised before the transaction was attempted.

The attacker then initiated an additional two transactions: one GALA and one Tether (USDT) transfer. In each of these three transactions, the attacker used a different WazirX admin account, for a total of three accounts used. All three of the transactions failed.

After initiating these three failed transactions, the attacker extracted signatures from the transactions and used them to initiate a new, fourth transaction. The fourth transaction “was crafted in such a way that the fields used to verify policies were using legit transaction details” and “used the Nonce from the failed USDT transaction because that was the latest transaction.”

Because it used these “legit transaction details,” the Liminal server approved the transaction and provided a fourth signature. As a result, the transaction was confirmed on the Ethereum network, resulting in a transfer of funds from the joint multisig wallet to the attacker’s Ethereum account.

Liminal denied that its servers caused incorrect information to be displayed through the Liminal UI. Instead, it claimed that the incorrect information was provided by the attacker, who had compromised WazirX computers. In an answer to the posed question “How did the UI show a different value from the actual payload within the transaction?” Liminal said:

Liminal also claimed that its servers were programmed to automatically provide a fourth signature if WazirX admins provided the other three. “Liminal only provides the final signature once the required number of valid signatures are received from the client’s side,” it stated, adding that in this case, “the transaction was authorised and signed by three of our client’s employees.”

The multisig wallet “was deployed by WazirX as per their configuration well before onboarding with Liminal,” and was “imported” into Liminal “per WazirX's request.”

Related: WazirX breach post-mortem: Dismantling the $230M attack

WazirX’s post claimed that it had implemented “robust security features.” For example, it had required that all transactions be confirmed by four out of five keyholders. Four of these keys belonged to WazirX employees and one to the Liminal team. In addition, it required three of the WazirX keyholders to use hardware wallets. All destination addresses were required to be added to a whitelist ahead of time, WazirX stated, which was “earmarked and facilitated on the interface by Liminal.”

Despite taking all of these precautions, the attacker “appear[s] to have possibly breached such security features, and the theft occurred.” WazirX called the attack a “a force majeure event beyond [its] control.” Even so, it vowed that it was “leaving no stone unturned to locate and recover the funds.”

An estimated $235 million was lost in the WazirX attack. It was the largest centralized exchange hack since the DMM exploit of May 31, which resulted in even greater losses of $305 million.

Magazine: WazirX hackers prepped 8 days before attack, swindlers fake fiat for USDT: Asia Express

The above is the detailed content of Liminal Blames WazirX for July Hack, Says Its UI Was Not Responsible. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node?Mar 05, 2025 pm 05:57 PM

Detailed explanation and installation guide for PiNetwork nodes This article will introduce the PiNetwork ecosystem in detail - Pi nodes, a key role in the PiNetwork ecosystem, and provide complete steps for installation and configuration. After the launch of the PiNetwork blockchain test network, Pi nodes have become an important part of many pioneers actively participating in the testing, preparing for the upcoming main network release. If you don’t know PiNetwork yet, please refer to what is Picoin? What is the price for listing? Pi usage, mining and security analysis. What is PiNetwork? The PiNetwork project started in 2019 and owns its exclusive cryptocurrency Pi Coin. The project aims to create a one that everyone can participate

Top 10 virtual digital currency app platforms in the world, the top ten virtual currency trading platforms in 2025Mar 05, 2025 pm 08:00 PM

With the booming development of the virtual currency industry, virtual digital currency trading platforms around the world are becoming increasingly stronger. This article focuses on the top ten virtual digital currency app platforms in the world in 2025, including Binance, OKX, Gate.io, Kraken, Gemini, FTX, Bybit, KuCoin, Huobi and Coinbase. These platforms are known for their advanced features, a wide range of transaction pairs, low fees and stable performance, providing users with a wide range of virtual currency trading options.

Various ETF issuers compete to apply for Solana ETF! But why is BlackRock still absent?Mar 03, 2025 pm 06:33 PM

Many ETF issuers are scrambling to apply for SolanaETF, but BlackRock is still holding back? This article will interpret this phenomenon. SolanaETF application boom The Securities and Exchange Commission (SEC) has accepted SolanaETF applications submitted by several institutions, including Bitwise, 21Shares, VanEck, CanaryCapital and Grayscale. Bloomberg predicts that the probability of Solana spot ETF being approved by the end of the year is as high as 70%, which is closely related to the Trump administration's friendly attitude towards cryptocurrencies. The establishment of Franklin's "Franklin SolanaTrust" also implies its potential application for SolanaETF. However, Sol

Bitcoin [BTC] was on a downtrend after losing the $92,000-support level in the final week of FebruaryMar 16, 2025 am 10:10 AM

Technical indicators such as the OBV showed that selling pressure has been dominant, meaning more losses may be likely ahead.

Understand the current situation and future of MEV on a single articleMar 04, 2025 pm 05:06 PM

Sui Blockchain's MEV (Maximum Extractable Value) strategy and future outlook MEV have become the core issues in the blockchain field, which are related to transaction sorting and arbitrage opportunities. Sui is committed to guiding the development of MEV through Sui Improvement Proposal (SIP) and other mechanisms, ensuring transparency, transaction security, network health, and participant rewards. In addition to existing mechanisms, more mechanisms are planned to be introduced to ensure that its core principles can effectively guide the evolution of MEVs on Sui. Design principles and considerations Sui's every transaction contains potential profit opportunities. Sui's MEV ecosystem consists of the following mechanisms: MEV transaction submission mechanism MEV opportunity release mechanism MEV

Qubetics ($TICS): The Revolutionizing AI CryptoMar 23, 2025 am 10:08 AM

Cryptocurrency has always been a realm where the cutting edge of technology meets bold ambition, and it's only getting more exciting in the future. As artificial intelligence continues to grow in influence, there are a handful of digital assets that

PI price forecast: How high can PI coins rise?Mar 03, 2025 pm 07:27 PM

Since the launch of PiNetwork (PI)'s independent network, it has continued to attract the attention of the cryptocurrency community. In contrast to the recent sluggish performance of mainstream cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH) and Solana (SOL), the price of PI has risen against the trend. PI cryptocurrency: Binance listing may become a catalyst for price surge PINetwork (PI) price upward momentum Strong PI is currently priced at $1.6750, far higher than the previous low of $0.6020. Trading activity and investor interest continue to grow, and PI's future price trend has become the focus of market attention. PI market performance: Strong rebound and key resistance levels PI mainnet started at the beginning

Top 10 Free Virtual Currency Exchanges Rankings The latest top ten virtual currency APP trading platformsMar 11, 2025 am 10:18 AM

The top ten free virtual currency exchanges are ranked: 1. OKX; 2. Binance; 3. Gate.io; 4. Huobi Global; 5. Kraken; 6. Coinbase; 7. KuCoin; 8. Crypto.com; 9. MEXC Global; 10. Bitfinex. These platforms each have their own advantages.