The WazirX Hack: What (Really) Happened

The crypto ecosystem in India has recently faced a (major) setback in the WazirX hack that has raised concerns regarding the entire industry. While crypto hacks have occurred globally in the past, the WazirX hack is the first of such a magnitude in India. According to an official post by WazirX, one of the multisig wallets of the crypto exchange lost $230 million to a cyber attack. That’s $230 million of customer funds.

In this blog, we will uncover the know-hows behind the attack, its latest updates, and also share how such crypto hacks generally occur.

What are crypto hacks?

With the emergence of Bitcoin in 2009, numerous crypto tokens and other digital assets were created on various blockchain networks. A number of crypto exchanges also came into being, where these digital assets could be traded. However, with a sharp rise in the popularity of crypto came scams and attacks on the sector, known as crypto hacks. 

Hackers, while staging these crypto hacks on blockchain projects, have attempted to steal funds, leading to losses amounting to millions. Loopholes in smart contracts and phishing attacks to gain access to private keys to crypto wallets are usually some of the common ways through which the biggest crypto hacks occur.

Crypto hacks could be generally categorised into:

• Bridge attacks: These attacks occur on token bridges, which facilitate the transfer of digital assets from one blockchain to another. The Wormhole Bridge attack is an example of this kind of crypto hack.
• Exchange hacks: As the name suggests, these attacks involve crypto exchanges, which are substantially used by investors worldwide for trading and investing. The Mt. Gox hack has been one of the biggest crypto hacks on exchanges.
• Wallet hacks: A crypto hack can be termed as a wallet hack if wallets holding crypto tokens or digital assets are compromised by hackers during an attack. 

The recent WazirX hack in India in 2024 may be an instance of both a wallet hack as well as an exchange hack - we’re yet to fully understand the details. Let's explore this in detail.

How did the WazirX Hack occur?

WazirX is one of the most prominent crypto exchanges in India, with over 15 million users. The news of the crypto hack on the platform on July 18, 2024, made headlines across the crypto space. Within hours, WazirX published a press release highlighting the details of the hack.

Crypto exchanges usually engage with a custodian that uses a combination of hot and cold wallets to secure user deposits. A small percentage of funds that are required to process user deposits are stored in hot wallets whereas maximum funds are stored in cold multisig or warm MPC wallets. Multisig wallets require two or more private keys for transactions depending on the configuration. For example, the WazirX cold multisig wallet that was hacked was a 3 / 5 wallet requiring at least three out of five private keys to sign any given transaction.

Liminal, a digital asset infrastructure and custody solutions provider, was an additional signatory of the affected multisig wallet. 

WazirX used the Gnosis Safe smart contract platform and Liminal's whitelisting policy to secure users’ funds in the multisig wallet. The whitelisting policy includes a set of pre-approved destination addresses where funds from the wallet could be sent. On the other hand, just a month ago, the exchange also published a Proof of Reserves report, stating its total holdings at INR 4203.88 crores with sufficient liquidity to meet withdrawal demands.

What happened on July 18?

On July 18, WazirX claimed the hack occurred on one of its multisig wallets itself, which had six signatories, one being from Liminal and five from WazirX. The exchange said that a transaction from the wallet required three signatories from WazirX to approve it, apart from a final approval from Liminal.

Apparently, the data on Liminal's interface and in the actual transaction did not match. Hackers replaced the payload (the transmitted data) on the transaction with a malicious one to gain control of the transaction. This was also confirmed by a press release from Liminal.

At the same time, Liminal underlined that its infrastructure was not breached and that devices in WazirX were compromised. Meanwhile, in a report published on July 25, WazirX denied a compromise on their end. So a confirmation of a breach on either or both Liminal or WazirX's side is yet to be had, with contradictory statements from both. 

WazirX has also touched upon the likelihood of the Lazarus Group, a group of hackers from North Korea, being involved in the attack. The latest report also notes that 45% of crypto assets of WazirX were affected by the attack.

Mudit Gupta, the Chief Information Security Officer at Polygon Labs, took to social media and claimed that the hackers had breached the wallet 8 days prior to the attack and started ‘practising’ it onchain. Since draining the wallet required multiple transactions and a lot of time as well, the hackers upgraded the multisig wallet instead with a malicious one on July 10.

Out of four private keys to the wallet, two signatures were likely phished with a compromise in the wallet, while the hackers directly compromised the other two keys to create a malicious smart contract.

Gupta described that the hackers phished the two signatures by tricking two signers into signing a fake USDT transfer. The transaction failed obviously, but the hackers got hold of the two required signatures. With the other two keys that they compromised directly, the hackers successfully executed the hack.

Nevertheless, WazirX denied the breach that occurred on July 10 and stated that they had not signed any malicious transaction on that day.

Have the stolen funds from the WazirX hack been traced?

Reports on popular crypto news domains have reported that the majority of the funds comprising tokens like SHIB, MATIC, and others, have been converted into ETH. Hence, over $200 million worth of the stolen funds from the WazirX are currently in ether, said the reports. $57 million worth of this ether has also been reportedly transferred to two new wallet addresses.

The WazirX Bounty

The WazirX hack has prompted the exchange to announce a White Hat Recovery Bounty of up to $23 million (amounting to 10% of the full recovery of the hack) to recover the stolen funds. Any intelligence leading to the freezing of the funds would also attract rewards up to 10,000 USDT. Over 830 Whitehat hackers have shown interest in helping recover the funds. Moreover, the crypto exchange has also filed the necessary complaints with law enforcement agencies and has continued to provide regular updates on its own investigation through its blog.

User withdrawals

As of July 27, 20204, WazirX has launched a withdrawal strategy for all their users. According to the withdrawal management program, users are presented with two options.

Option A allows users to hold or trade their assets once trading resumes on the platform. They will also get the first priority to the recovered funds, if any, in the future. However, they would not be able to withdraw their holdings. To withdraw their holdings, the only way for them is to switch to option B, but lose their priority for the recovered funds.

Option B allows users to hold, trade, and also withdraw their assets once the platform enables it. But they will get second priority to any recovered funds. Although, to get the first priority to any recovered funds, they would have to shift to option A.

The catch in both options is that irrespective of the options they choose, users will only be able to access 55% of their tokens. On the other hand, INR funds will be fully withdrawable for both options. The remaining 45% of each user's tokens will be locked in equivalent values of USDT.

WazirX stated they made the decision to convert 45% of all users' tokens to USDT to combat volatility during the period of recovery planning. Nonetheless, this decision has become a point of contention across the crypto space since even users whose holdings weren't affected by the hack are subjected to it.

A few drawbacks of this withdrawal strategy of WazirX have emerged:

• The exchange did not halt trading until July 21, even after the hack. Several users sold their holdings at a loss. These users can now withdraw 100% of their INR funds, but those who did not sell their assets in their period will still have 45% of their assets locked in USDT.
• A potential 1% TDS and 30% tax on gains of 45% of the user portfolio will be levied since it will be auto-converted to USDT.
• The 55% of withdrawable tokens for users who select option B will also be only according to daily limits and not in one go.

What does the WazirX hack mean for other crypto exchanges and for the Indian web3 space?

The WazirX hack, as one of the biggest crypto hacks, may influence regulatory authorities and crypto enthusiasts in India to take cognizance and raise concerns for the web3 industry on aspects of security and regulation. Crypto exchanges across the world may also take note of the incident and invest in better security infrastructure to protect user holdings. 

WazirX has also noted the issue of ‘blind signing’ in multisig Ethereum wallets, where hardware wallets might not display the destination addresses of tokens. Issues like these may continue to emerge as the investigation unfolds.

The WazirX hack holds key lessons for all stakeholders in the web3 space. From investors in crypto to exchanges, the importance of security protocols has been made evident from this incident. From a users’ perspective, choosing a crypto exchange or a wallet with the highest security and transparency standards has become extremely essential for the safe storage of their funds in case of a crypto hack.

Explore crypto and blockchain with India Crypto Research!