Lessons from the WazirX hack
India’s largest cryptocurrency exchange, WazirX, suffered a major security breach in July 2024. Hackers exploited vulnerabilities in the exchange’s security systems, stealing over $230 million worth of cryptocurrency, representing over 45% of their total reserves. Two months after the hack, they used Tornado Cash, a privacy tool often used by criminals to hide suspicious transactions to launder most of the stolen funds.
What happened during the WazirX hack?
The breach began when the hackers exploited a vulnerability in one of WazirX's multi-sig wallets. The exchange's wallets are managed through Liminal, a digital asset custody platform, using Gnosis Safe, a widely used smart contract-based multi-sig wallet. Despite using a multi-sig system with six signatures, five from WazirX and one from Liminal, the attacker manipulated and took control of the wallet’s data.
Initial investigations into the breach identified that the transaction data and information displayed on Liminal’s interface did not match up as they were supposed to. The discrepancy meant the attacker could bypass the exchange’s multi-sig setup and seize control of the wallet even though there is an allowlist policy that is supposed to limit transactions to pre-approved addresses.
Due to multi-sig wallets requiring several approvals for transactions, they’re often known to provide strong security. Despite this, even the most secure systems can be exposed to risks if flaws or insufficient oversight exist. This hack has raised some questions about the security of user’s assets on centralised exchanges.
The stolen funds amounted to $102 million in SHIB tokens, $52.6 million in Eth, $11 million in Matic, and $7.6 million in Pepe tokens. Blockchain analysis firms involved in the investigation found that most stolen assets were converted into ETH.
How could the WazirX hack have been prevented?
Having CoinCover integrated into WazirX’s security strategy could have added several layers of protection to help mitigate the attack. CoinCover conducts extensive due diligence on any wallet service provider we support. This involves setting up our own wallets on their platform, thoroughly reviewing security protocols, and completing a risk review to ensure best practices.
CoinCover’s client tech due diligence process includes a detailed review of the transaction authorisation procedures. We would likely have identified the exploitable vulnerabilities in WazirX’s signing process and platform configuration, preventing the attacker from exploiting those gaps.
CoinCover’s AssetCOVER product provides per-transaction - limit rules, usually set lower than the large-scale transactions seen during this hack. Our monitoring system flags this suspicious activity, triggering a ‘RED’ response code. In this instance, a warning would have alerted WazirX to the issue, allowing them to stop the transaction before the breach occurred. If WazirX were to have escalated the transaction for further review based on our RED alert, the attacker would have needed to compromise both Liminal and CoinCover to move the funds successfully.
The security of an exchange’s assets is the key to upholding a trusted reputation. Without additional security measures, exchanges like WazirX are at risk of attacks. When they do happen, retrieving assets is a slow and lengthy process, and funds aren’t guaranteed to be returned. This can be costly for exchanges in monetary, operational and reputational terms, so preventing these attacks is vital to an exchange’s efficiency and success.
To learn more about how CoinCover can help you secure your assets, speak to our sales team at sales@coincover.com.