WazirX $235M Exploit

Investigation Highlights

Recently, WazirX, a prominent Indian cryptocurrency exchange, experienced a major security breach resulting in the theft of approximately $235 million worth of crypto assets. The hack targeted one of the exchange's multisig (multisignature) wallets. WazirX uses Liminal, a digital asset custody solution for institutions.

A multisig wallet is a type of cryptocurrency wallet smart contract that requires multiple private keys to authorize a transaction. This setup enhances security by ensuring that no single party has complete control over the wallet's funds. In the context of WazirX, their multisig wallet required signatures from three WazirX team members and one from Liminal to authorize transactions. This setup was meant to enhance security by distributing control among several parties​

The hackers exploited a flaw in the Liminal user interface, allowing them to compromise multiple signatures. This enabled them to perform an unauthorized code change to the smart contract controlling the wallet, ultimately draining the wallet of its funds.

In response to the attack, WazirX temporarily suspended withdrawals to prevent further losses and initiated an investigation into the incident. As of the writing of this report, the stolen funds account for over 45% of the exchange’s $500 million holdings reported in June.

The stolen assets included significant amounts of SHIB, ETH, MATIC, PEPE, USDT, and GALA. The hackers have already begun liquidating some of these assets, causing market disruptions, such as a notable drop in the price of SHIB.

How did this hack happen?

The root of this exploit lay in the hackers' ability to discover and/or phish most of the signatures needed to gain entry to WazirX's multisig wallet.

Initially the hackers were able to compromise the Liminal Custody UI. This allowed them to set up a normal-looking transaction for a USDT transfer on the website. However, in reality, the hackers were using this fraudulent transaction to steal the necessary signatures for the next stage of the attack.

The hackers were meticulous in their approach, using wallets funded via the Tornado Cash mixer to obscure any potential Know Your Customer (KYC) information that other exchanges might have on them.These newly created wallets were then used to deploy a malicious contract. The hackers then upgraded WazirX’s multisig wallet to their malicious contract, ultimately gaining control over the account. Once they had control, the hackers drained the wallet and began using various decentralized finance (DeFi) protocols to sell and swap the stolen tokens for ETH. This method not only facilitated the liquidation of the assets but also helped in further obfuscating the trail of the stolen funds.

Hack Breakdown & Timeline

July 10, 2024 - Between 2:28 AM and 2:41 AM ET

Address 0x6eedf92fb92dd68a270c3205e96dccc527728066 (WazirX Exploiter 0) funded from Tornado Cash 0.1 ETH Pool via 5 different transactions

Image 1 illustrates the transactions used to fund the WazirX hacker's wallet. The funds originated from Tornado Cash, a privacy protocol sanctioned by the U.S. in August 2022 due to its misuse for mixing tokens and facilitating money laundering. The use of Tornado Cash indicates nefarious behavior, as it likely served to obfuscate the source of the funds.

Image 2 indicates this wallet is funded by a Mixer, has high risk and was only active between July 10 and July 22. This address also has more than 100 interactions that took place within the 12 days.

July 10, 2024 - 3:37 AM ET

Exploit contract 0xfbffef83b1c172fe3bc86c1ccb036ab9f3efcaf2 (WazirX Exploit contract) created by ‘WazirX Exploiter 0’, screenshot of this transaction is shows below.

July 18, 2024 - 2:17 AM ET

Transaction 0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d was triggered. This transaction allowed the exploiters to take control of the wallet’s smart contract code and upgrade it to an unauthorized contract (0xef279c2ab14960aa319008cbea384b9f8ac35fc6) with logic that was not intended by the WazirX or Liminal team. Note, There were two exploit smart contracts. 1, to upgrade the smart contract logic (ending in caf2) and the other that contains the smart contract logic (ending in 5fc6)

Image 4 illustrates the the individual steps (or sub-transactions) that took place in order to upgrade and inject the hacker’s contract 0xfbffef83b1c172fe3bc86c1ccb036ab9f3efcaf2 (as seen in the bottom right of the image) and get control of WazirX’s multisig wallet.

To execute this transaction successfully, a majority of the signatories on the wallet would be needed, in this case 4 out of 6 signers would be needed. It is speculated that the hackers have compromised two signatures and phished two more signatures. For more details on the technical breakdown, please reach out at [email protected]

July 18, Between 2:19 AM ET - 3:32 AM ET

Wallet Draining - 199 token transfers were sent from WazirX’s multisig wallet to exploiter wallet. Totaling to about 235M USD worth of tokens being drained in just over an hours worth of time

Image 5 demonstrates how Blockscope’s Entity Interaction Tool can be used to export every transaction between these 2 wallets. This makes it very easy for us to identify and extract all necessary interactions between the 2 entities thus helping find every token that was drained from the multisig wallet to the hacker’s wallet.

Further analyzing the data provided by the Entity Interaction tool, we see the top 5 tokens moved out make up about $180M USD worth. The remaining tokens make us the other 55M, which was about 194 other transactions.

Table 1 shows some of the top tokens that were drained, how many, and its USD value during the day of the hack

Tracing Funds

Between July 18, 2024 - July 22, 2024 the exploiter had started moving large amounts of tokens into different wallets. Using Blockscope’s Tracer tool we can start to see where funds are being moved and find all associated wallets involved.

Tracing $100M USD worth of SHIB

We started tracing the top tokens moving out from WazirX’s multisig into the exploiter. Since the amount of SHIB stolen was the largest, we start with this token.

The image below shows all the SHIB moving into another account, labeled by us as ‘WazirX Exploiter 2’.

Image 6 illustrates the 5.4 billion SHIB tokens and where they were moved. Blockscope’s Tracer tools lets us easily track the fonts to its final destination.

Image 7 demonstrates the results if we continue to follow the SHIB tokens. We can see all the other associated accounts where this token was moved. Many of these wallets are currently still holding the SHIB, or have started using other services such as DeFi protocols to exchange the SHIB for different tokens.

We eventually follow the tracer to a point where these wallets are now using DeFi protocols like 1inch or Uniswap to move and swap SHIB into ETH. We can now utilize Blockscope’s Watchtower tool to further monitor these accounts for new transactions and get alerted when the funds move again.

Tracing $50M USD worth of ETH

We can apply the same strategy as above and track where the other tokens have been moved, let's trace where the $50M worth of stolen ETH went. We quickly find the wallet that currently holds most of the stolen ETH. For whatever reason, the hackers have not moved the ETH out to other wallets or even attempted to send it out to mixers like Tornado Cash or other privacy focused protocols that may obfuscate where these funds will go.

Almost all of the stolen 15K ETH worth about $50M USD remains in the wallet highlighted in green, as shown in Image 9.

Further analyzing the wallet (0x58d3b2fd2ce20a7149244d7e34d18b9b55448e7a) with $50M worth of ETH in Blockscop’s Wallet Profiler. We can see the user has not triggered any outbound transaction and still currently holds all the ETH they have received.

Continuing the Tracing

We can continue tracing all the other tokens that were stolen in a similar fashion and find a set of associated addresses that may help us track down additional information about the hackers.

Where are funds being Offboarded?

In our investigation we found the attackers have already used some of the most popular DeFi protocols and smart contracts to move and swap out tokens. Some of the protocols used are the following, this is not an exhaustive list, only the most common protocols:

• Uniswap V3

• Cowswap

• Kyber Swap

• 1inch

• SushiSwap

In Image 11 above, we examine one of the exploiter's addresses we identified—0x6ea4cd20a0930eaf5b0bc097238ceaf9008703d5—using Tracer. By searching this address in the wallet profiler, we can see their primary interactions with various DeFi protocols, where they are exchanging stolen funds for other tokens. The address has numerous transactions with Sushiswap, Kyberswap, and Uniswap.

We can take all the associated addresses we have found so far using Blockscope’s Tracer tool and pull it into Blockscope’s Cohort Analyzer tool. This can give us all the relevant transactions amongst associated addresses. In the example below we will look at how the different WazirX hacker wallets we have discovered are all using 1Inch to swap out the stolen tokens.

In Image 12 above, we observe all outbound transactions from 1Inch to the various hacker wallets we have identified. Clicking on the edge will reveal the number of interactions. For instance, the image shows that there were 34 outbound transfers of different tokens between 1Inch and another WazirX hacker wallet. We can then use Blockscope’s Entity Interaction tool to locate all 34 of these transactions.

Confirming Associated Addresses

Tracing funds can easily help us find addresses that are used to move money around and using heuristics and logic we can often deduce which addresses probably belong to the same entities. Another one of Blockscope’s forensics tools - cohort analyzer, can take a set of addresses and find connections amongst them to help determine if addresses are likely associated.

In image 13, we can see all the interactions between some of the addresses we discovered in this exploit. “WazirX Exploiter 1” which drained the “WazirX Gnosis Safe” multisig wallet and moved all the funds to the “WazirX Exploiter 2” wallet. This wallet is the focus node in the image, with all its adjacent nodes with a blue border. Many of these addresses are moving tokens amongst each other.

List of Associated Addresses

The following is a non-exhaustive list based on Blockscope’s findings on other wallets belonging to the WazirX Hacker and other prominent contracts/addresses involved in this exploit.

Table 2 Lists associated addresses found for the WazirX hacker during Blockscope’s investigation

Monitoring Stolen Funds

Using Blockscope’s monitoring tool, Watchtower, we can set up alerting whenever any of these stolen tokens move in or out of the wallets listed above.

Link to see any new transactions captured by watchtower:

https://www.blockscope.co/community/watchtowers/66a6c4126e96e8085fa4fed0

This watchtower captured the hacker moving the stolen funds out to Tornado Cash, an OFAC sanctioned protocol in real time, tracing these movements using Blockscope's Tracer tool gives the following insights.

Summary

The WazirX hack investigation is ongoing, with new details becoming public daily. This is Blockscope’s best effort analysis based on the data available on the Ethereum Blockchain and other publicly accessible sources at this time.

The investigation utilized several advanced tools provided by Blockscope and forensic techniques to meticulously trace and analyze the events of the hack:

• Transaction Decoder: Essential in breaking down unauthorized transactions and understanding the sequence of actions taken by the hackers.

• Wallet Profiler: Helped identify and analyze the suspicious wallets involved, revealing their connections to the Tornado Cash mixer, which was used to obfuscate the origins of the stolen funds.

• Tracer Tool: Played a crucial role in tracking the movement of the stolen tokens, such as SHIB and ETH, across various wallets and DeFi protocols.

• Entity Interaction Tool: Used to map out all interactions between the involved addresses.

• Cohort Analyzer: Helped identify clusters of associated wallets, providing a clearer picture of the hackers' network.

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

• The data used in this investigation may contain inaccuracies, omissions, or errors.

• Information sources may be incomplete or subject to change.

• New evidence may emerge that could alter the conclusions.

• Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.