Liminal blames broken WazirX devices for hacking, says UI not responsible.
Multiparty computing (MPC) wallet provider Liminal released a postmortem report on July 19, claiming that the user interface was not responsible for the attack on the WazirX hack on July 18. According to reports, the hack happened because three Wazir X devices were hacked.
Liminal also said that a multi-signature wallet is set to provide a fourth signature if WazirX provides the other three. This means the attacker only needs to compromise three devices to carry out the attack. The wallet was developed this way at the behest of WazirX, the wallet provider said.
In a social media post on July 18, WazirX said his private keys are protected by hardware wallets. WazirX said the attack “stems from a mismatch between the information displayed on the liminal interface and the actual content of the transaction.”
According to Liminal's report, one of WazirX's devices has launched an actual transaction related to the Gala Games (GALA) token. In return, the Liminal Server provides a “safeTxHash” that verifies the authenticity of the transaction. However, the attacker replaces this transaction hash with an invalid one, causing the transaction to succeed.
From a liminal perspective, the attacker's ability to change this hash indicates that the Wazirx device was compromised before the transaction was attempted.
The attacker then initiated two more transactions: one GALA and one USDT transfer. In each of these three transactions, the attacker used a different WazirX admin account, used for a total of three accounts. All three transactions failed.
After initiating these three failed transactions, the attacker extracted signatures from the transactions and used them to initiate a new fourth transaction. The fourth transaction was made because “Fields used to validate policies are using valid transaction details” and “The most recent transaction used nonce from a failed USDT transaction.”
Using these “legitimate transaction details”, the Liminal server approves the transaction and provides a fourth signature. As a result, the transaction was verified on the Ethereum network, resulting in a transfer of funds from the shared multisig wallet to the attacker's Ethereum account.
Liminal has denied that its servers made false information visible through the Liminal UI. Instead, he said, the misinformation was caused by the attacker who hacked Wazir X's computers. “How did the UI show a different price than the actual payload in the transaction?” In response to the question. Liminal said:
“Based on our logs, we have reason to believe that three of the victim's co-transaction devices sent a malicious payload to the Liminal server to modify the attacker's payload and display misleading transaction details. UI”
Liminal says that WazirX administrators are programmed to submit a fourth signature if the servers submit the other three. “Liminal provides the final signature only after the required valid signature is received from the client,” he explained.
The MultiSig wallet was “deployed by WazirX as configured prior to onboarding with Liminal” and “at WazirX's request” was imported into Liminal.
Related: WazirX breach post-mortem: Breaking down the $230M attack
WazirX's post said it implemented “robust security features.” For example, it required all transactions to be authenticated by four of the five key holders. Four of these keys belong to the WazirX staff and one belongs to the Liminal group. Additionally, he needed three of the WazirX key holders to use the hardware wallets. All access addresses were required to be added to a pre-whitelisted list, WazirX explained, which was “facilitated by Liminal at the interface.”
Despite all these precautions, the assailant “will be seen.”[s] Such security features may have been violated, and the theft occurred. Wazir X called the attack a “force majeure event”. [its] “Control” even so, he promised to leave no stone unturned to find and recover the money.
An estimated $235 million was lost in the Wazirx attack. It was the largest centralized exchange hack since the May 31 DMM exploit, which caused a further $305 million in losses.
Magazine: Wazir X Hackers Prepared 8 Days Ahead of Attack, Fraudsters Register Fee for USDT: Asia Express
