An independent audit by global auditing firm Grant Thornton has reported that a $230 million hack against cryptocurrency exchange WazirX did not originate from the infrastructure of crypto custodian Liminal Custody. The Singaporean crypto custodian, earlier suspected based on discrepancies in transaction data, has now been cleared by the recent audit of direct involvement in the breach.
The July hack led to the attackers siphoning off more than $230 million in digital assets. This raised several questions about the security of crypto custodial services.
Breach Identified Outside Liminal’s Infrastructure
In a blog post on September 9, Liminal Custody said results of the audit indicated that the attack was originating from outside its systems. Whereas WazirX had implied there were indeed discrepancies between the Liminal interface and transactional data, the audit did find vulnerabilities or compromises within either Liminal’s frontend or its backend infrastructure.
It thus appears the attack came from the outside rather than within the secure walls of Liminal’s multi-signature wallet framework. Liminal Custody says all its systems remain secure in order to protect client digital assets.
Continued Investigations, Along with Security Enhancements
Liminal Custody maintained there were glitches in data, possibly due to client infrastructure vulnerabilities or its frontend interface. However, deeper analysis is required. “We are waiting for an end-to-end review from our auditors”, the company said, adding that its multi-signature wallet model ensures the control of keys is very much in the hands of the clients, thereby removing the possibility of internal threats.
In the wake of the breach, Liminal is considering security as a continuous process, while simultaneously exploring probable causes of these discrepancies identified by WazirX.
Response by WazirX and Strategy of Socialized Loss
The recovery plan post-exploit that WazirX had come up with was highly controversial: it suggested a “socialized loss strategy” wherein users recover only 55% of their funds initially, and the rest provided in the form of Tether tokens. However, this plan received considerable backlash from affected users, which has led the exchange to take a different approach. This stakeholder is therefore considering other avenues toward compensation for those who were affected by the breach.
The restoration of faith for each platform is ongoing, with both WazirX and Liminal Custody working on ensuring such incidents are averted in the future.