Critical Analysis of the WazirX Hack: Lessons and Recommendations

The recent hack on WazirX highlights several critical security lapses that allowed attackers to exploit vulnerabilities and compromise a multisig wallet, leading to a loss exceeding $230 million. Despite having robust security measures and a threshold of four signatures for transaction approval, the attackers succeeded by compromising just three devices. This incident reveals multiple gaps in both WazirX’s and Liminal’s security practices.

Key Security Gaps Identified:

1. Lack of Endpoint Monitoring:

WazirX did not have endpoint monitoring or had inadequate endpoint security enabled on employees' devices. Devices used for transaction signing should be hardened and separate from everyday workstations. They should run minimal software—just the OS and a browser. Tools like JumpCloud can facilitate endpoint monitoring, hardening, and enforcing antivirus and system policies, such as root privilege access.

2. Risky Wallet Import Practices:

Liminal allowed the import of a wallet not created in their ecosystem. This is risky because keys might have been exposed before being onboarded into Liminal. It's essential to ensure all wallets and keys are generated and maintained within a secure, controlled environment.

3. Inadequate Hardware Security:

Securing $230 million with five Ledger devices worth INR 60K is insufficient. Ideally, cold wallets should use multiple Hardware Security Modules (HSMs), each costing about INR 10 lakh+, stored in bank vaults across different geographies. This setup ensures that hackers would need to breach multiple physical locations, increasing security. HSMs also offer address whitelisting capabilities that cannot be changed on the fly.

4. Misunderstanding of Cold Wallets:

True cold wallets are never connected to online systems. They use offline, air-gapped devices, and manual QR code communication for transactions. Any system connected to the internet is a hot or warm wallet. Fireblocks’ blog explains the distinctions well: hot wallets are efficient but vulnerable, cold wallets are secure but less convenient, and warm wallets offer a balance with human involvement required for transactions.

5. Poor Fund Distribution:

WazirX kept $230 million in a single wallet. Funds should be distributed across multiple wallets to minimize risk. Industry practice is to keep only a small percentage in hot (5-10%) and warm wallets (5-10%), with the majority in cold storage. According to WazirX’s proof of reserve, they had about $503.64 million, meaning 45% of assets were in a single, internet-accessible wallet—far too much for a supposed cold wallet.

6. Failure to Detect Malicious Transactions:

Liminal’s systems should have detected malicious behavior after multiple attempts with payload mismatches. Advanced AI capabilities can identify such patterns and immediately alert and freeze access for the affected employees.

7. Inadequate Transaction Policy Enforcement:

Liminal’s HSM signed a malicious transaction for a Safe wallet upgrade. This indicates a failure in the transaction policy enforcement. The attack involved automated steps, suggesting unauthorized access to devices. If an HSM signs transactions in real-time without intelligence checks, it cannot be considered cold custody.

8. Lack of Onchain Monitoring:

The hackers activity went undetected for eight days due to inadequate onchain transaction monitoring. Continuous monitoring of onchain interactions is crucial. The first interaction with a sanctioned protocol like Tornado Cash should have triggered alerts and deeper inspection. The hack was eventually identified by Cyvers, not by WazirX or Liminal. Onchain monitoring of wallet health and reputation should be a key responsibility of any crypto security team.

Conclusion:

Hindsight is 20/20, but it’s crucial that we learn from this incident and emerge stronger. I support all users impacted by this breach and those facing an uncertain future. Remember, Not your keys, not your coin.

Akash, Founder at Kahu Labs

Kahu Labs is a tech startup with deep expertise in Blockchain and Cybersecurity. Our team has identified security vulnerabilities in several prominent companies. We remain committed to enhancing the security landscape for digital assets.

If you need help with your cybersecurity assessment or cold custody needs, reach out to us at [email protected].

#WazirX #CyberSecurity #Blockchain #DigitalAssets #CryptoSecurity #NotYourKeysNotYourCoin