Over $230 Million Worth of Crypto Hacked: What Message Is It Sending? With the siphoning of USD 234.9 million in crypto, what's next for the industry, its users, and government?

On Thursday, cryptocurrency player, WazirX, confirmed a security breach in one of our multi-signature wallets. While the startup mentions the hacked amount being over USD 230 million, blockchain security firm Cyvers said the siphoned amount is expected to be USD 234.9 million, a large chunk of its USD 503 million assets.

The Nischal Shetty-founded crypto startup is one of the largest players in the Indian market. Crypto influencer Kashif Raza shared that 33 per cent market share was of WazirX. "This has taken the industry 5-7 years back," Raza noted.

"This incident has affected the Ethereum multisig wallet consisting of Eth and ERC20," said Shetty in his only communication over the incident.

What we know so far

Lookonchain reported that the compromised funds include approximately USD 100 million in Shiba Inu (SHIB), USD 52 million in Ethereum (ETH), and USD 11 million in Polygon (MATIC), with the remaining being in Floki, Fantom, Chainlink, and Fetch.ai.

Preetam Rao, founder, QuillAudits based on activity analysis speculated, "The main address that was involved in the hack began doing its preparation eight days back."

A multi-signature wallet requires the permission of multiple stakeholders before carrying out any transaction. The hackers could have upgraded the multisig into a malicious version to carry out the illegal activity. According to Quillaudits' analysis, hackers got access to two main keys. "Out of the last two, one account needed the co-sign from Liminal Custody. Maybe there was some issue with it which gave hackers an opportunity." WazirX's cold storage wallet was recently upgraded to a version to support multisig, but the way they upgraded used a smart contract which was already compromised. "This does not look like someone used brute force to try to figure out vulnerabilities of WazirX's server," Dr. Sathvik Vishwanath, founder, Unocoin said. He further notes that other wallets of WazirX do not look affected.

Rohan Agarwal, founder, Cypherock Wallet feels it was a classic case of smart contract signing gone wrong.

However, Liminal Custody clarified on X, "We can confirm that Liminal's platform is not breached and Liminal's infrastructure, wallets and assets…all the malicious transactions to the attacker's addresses have occurred from outside of the Liminal platform." WazirX notified that the wallet had six signatories—five from our WazirX team and one from Liminal, who were responsible for transaction verifications.

"A transaction typically requires approval from three of the WazirX signatories (all three of whom use Ledger Hardware Wallets for security), followed by the final approval from Liminal's signatory," it posted on X.

We are yet to know which keys were compromised.

"The cyber attack stemmed from a discrepancy between the data displayed on Liminal's interface and the transaction's actual contents. During the cyber attack, there was a mismatch between the information displayed on Liminal's interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker," WazirX said on the nature of the attack.

What it means for the public

Will the government get involved? "I don't think it is easy to regulate when it comes to storage-related things for crypto. If the government appoints authorizers to provide custody for crypto, then the entire responsibility will be on them. I don't see how the government can help. They can mandate an audit when it comes to proof of reverse. But these two do not mean hack-proof," added Dr. Vishwanath.

He further feels this still wouldn't have saved WazirX.

Tanvi Ratna, founder, Policy4.0 feels we will be heading towards prudential regulation. Dr. Vishwanath on crypto getting insured said, "Even for the risk-taking insurance company, it is not feasible to provide that kind of service to crypto companies."

What are the chances of recovery? "There are cases where the hack took place two-three years ago and the funds are being moved now...It might not go to the central exchange for five-six years," adds Rao.

Ratna notes that government will not guarantee protection for actions in crypto, "If you want the government to be the guarantor of trust in this industry, then the whole industry has to fit into their financial regulatory framework."

Industry alertness and support

Several crypto players in a bid to reassure their users took to social media platforms to share about their security and provide transparency.

"We have transparent proof of reserves, which is publicly visible in real-time. CoinDCX has best-in-industry security measures and is ISO 27001 certified, said Sumit Gupta, co-founder, CoinDCX.

"We want to assure our users that their funds on @CoinSwitch are secure and unaffected by this incident. We advise all our crypto investors to be mindful of potential market volatility during this time and exercise caution in their trading and investment activities," said Ashish Singhal, co-founder & group CEO, PeepalCo.

"We conduct regular audits to ensure a 1:1 ratio of funds. Additionally, our codebase goes through extensive scrutiny and review at many layers to ensure our tech infrastructure is immune to such exploits. This incident underscores the importance of continuous monitoring and robust compliance frameworks to protect investors and ensure the integrity of the crypto ecosystem," said Edul Patel, CEO, Mudrex.

Gupta further extended help to WazirX to figure out a solution. "Even though @WazirXIndia is our competitor in the Indian market, I am sad to know about the incident. It's not good news for the Indian web3 ecosystem," posted Neeraj Khandelwal, co-founder, CoinDCX.

The possible solutions

Can self-custody be the solution to the loss of such scale? For the uninitiated, self-custody lets you control your private keys yourself, taking full responsibility for the security of your wallet. While the Financial Intelligence Unit does not restrict it, the practice is not encouraged by players as a part of business. Self-custody leads to enhanced security, full control over when and how to move your assets, and keeping your transactions private3.

Lack of awareness and knowledge coupled with the perception of holding the crypto platform at the highest level leads to people not being aware of possibilities. "For Indian Crypto exchange, one thing is clear from today, FIU registration is not enough, Declaration of Proof Of Reserve is not enough, mere ISO27001 certification is not enough. What is required is a full Red Team working to defend your exchange from hacks. CERT-IN era way fwd," posted Jayjit Biswas, founder, Elite Web3 Forum.

The wallet security needs to be ramped up. "There are people who've saved for six years and get their wallets drained after six years," concluded Rao.

Raza, Agarwal, Rao, and Ratna shared their views during a X spaces live.