In one of the most significant cyberattacks of the year, WazirX, an Indian cryptocurrency exchange, lost over $230 million from a multisig wallet.
WazirX reported the attack on one of its multisig wallets, which has used Liminal’s digital asset custody and wallet infrastructure since February 2023.
The wallet had six signatories: one from Liminal and five from WazirX, ensuring secure transactions through the required multiple approvals.
The WasirX attack in detail
The wallet breach occurred due to discrepancies between the data displayed on Liminal’s interface and the actual transaction contents.
During the attack, the payload was replaced, allowing the hacker to gain control of the multisig wallet and steal funds held within it.
Despite the use of security measures such as the Gnosis Safe multisig smart contract platform and a whitelisting policy, the attack was able to exploit these defenses.
The Liminal Custody team said in a statement to Cointelegraph that they confirm that Liminal’s platform was not breached and that its assets, wallets, and infrastructure remain safe.
“It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker’s addresses have occurred from outside of the Liminal platform.”
India’s crypto regulation
Joanna Cheng, associate general counsel at Fireblocks, described India’s regulatory hurdles for crypto, noting an absence of specific guidelines for security measures, risk management, and consumer protection.
“There is no crypto-specific regulation in India so far [...] Regulatory intervention in this space would also mean that exchanges that service large numbers of retail customers are held accountable for their actions (or inaction).”
Due to a lack of a clear crypto regulatory framework, Indian Prime Minister Narendra Modi called for a global crypto framework in August 2023 at the G20 Summit.
Modi explained at the Summit that the nature of emerging technologies like blockchain and cryptocurrencies have a global impact and advocated for a comprehensive global framework for crypto regulation.
WazirX: Response and recovery
WazirX responded to the community on July 18 in an X post, outlining the details of the attack and assuring stakeholders that efforts are ongoing to retrieve the stolen assets.
The Indian firm described the attack as “a force majeure event” and explained that, despite taking “all necessary steps to protect the customer assets,” the theft still occurred.
Cheng discussed WazirX’s ability to invoke a force majeure clause, which typically excuses a party from fulfilling its contractual obligations due to unforeseen events.
“However, if it is found that the event is, in fact, foreseeable and could have been avoided or mitigated through reasonable measures, the clause cannot be invoked.”
The crypto exchange is currently working with cybersecurity teams to locate and recover the funds and has promised to keep the community “posted with further updates.”