• bitcoinBitcoin (BTC) $ 91,948.00
  • ethereumEthereum (ETH) $ 3,332.20
  • tetherTether (USDT) $ 0.998709
  • xrpXRP (XRP) $ 2.01
  • bnbBNB (BNB) $ 694.06
  • solanaSolana (SOL) $ 186.58
  • dogecoinDogecoin (DOGE) $ 0.308586
  • usd-coinUSDC (USDC) $ 1.00
  • staked-etherLido Staked Ether (STETH) $ 3,329.39
  • cardanoCardano (ADA) $ 0.833058
  • tronTRON (TRX) $ 0.250678
  • avalanche-2Avalanche (AVAX) $ 35.07
  • the-open-networkToncoin (TON) $ 5.49
  • wrapped-stethWrapped stETH (WSTETH) $ 3,956.76
  • chainlinkChainlink (LINK) $ 20.20
  • wrapped-bitcoinWrapped Bitcoin (WBTC) $ 92,045.00
  • shiba-inuShiba Inu (SHIB) $ 0.000021
  • suiSui (SUI) $ 4.06
  • hedera-hashgraphHedera (HBAR) $ 0.268942
  • wethWETH (WETH) $ 3,329.55
  • polkadotPolkadot (DOT) $ 6.56
  • stellarStellar (XLM) $ 0.322298
  • hyperliquidHyperliquid (HYPE) $ 26.53
  • bitget-tokenBitget Token (BGB) $ 6.16
  • bitcoin-cashBitcoin Cash (BCH) $ 432.42
  • leo-tokenLEO Token (LEO) $ 9.07
  • uniswapUniswap (UNI) $ 12.95
  • pepePepe (PEPE) $ 0.000018
  • litecoinLitecoin (LTC) $ 97.76
  • wrapped-eethWrapped eETH (WEETH) $ 3,515.40
  • ethena-usdeEthena USDe (USDE) $ 0.997569
  • nearNEAR Protocol (NEAR) $ 4.98
  • usdsUSDS (USDS) $ 1.00
  • aaveAave (AAVE) $ 327.55
  • aptosAptos (APT) $ 8.72
  • internet-computerInternet Computer (ICP) $ 9.85
  • mantleMantle (MNT) $ 1.19
  • polygon-ecosystem-tokenPOL (ex-MATIC) (POL) $ 0.451835
  • crypto-com-chainCronos (CRO) $ 0.139566
  • ethereum-classicEthereum Classic (ETC) $ 25.00
  • whitebitWhiteBIT Coin (WBT) $ 24.51
  • vechainVeChain (VET) $ 0.042751
  • render-tokenRender (RENDER) $ 6.65
  • moneroMonero (XMR) $ 185.56
  • daiDai (DAI) $ 1.00
  • mantra-daoMANTRA (OM) $ 3.51
  • virtual-protocolVirtuals Protocol (VIRTUAL) $ 3.31
  • bittensorBittensor (TAO) $ 446.08
  • fetch-aiArtificial Superintelligence Alliance (FET) $ 1.25
  • arbitrumArbitrum (ARB) $ 0.721618
  • okbOKB (OKB) $ 49.70
  • filecoinFilecoin (FIL) $ 4.78
  • kaspaKaspa (KAS) $ 0.114611
  • ethenaEthena (ENA) $ 0.940789
  • algorandAlgorand (ALGO) $ 0.313733
  • cosmosCosmos Hub (ATOM) $ 6.14
  • optimismOptimism (OP) $ 1.77
  • tokenize-xchangeTokenize Xchange (TKX) $ 29.84
  • bonkBonk (BONK) $ 0.000030
  • immutable-xImmutable (IMX) $ 1.31
  • theta-tokenTheta Network (THETA) $ 2.23
  • blockstackStacks (STX) $ 1.48
  • first-digital-usdFirst Digital USD (FDUSD) $ 0.999282
  • celestiaCelestia (TIA) $ 4.66
  • movementMovement (MOVE) $ 0.932889
  • fantomFantom (FTM) $ 0.733240
  • binance-peg-wethBinance-Peg WETH (WETH) $ 3,332.46
  • gatechain-tokenGate (GT) $ 15.76
  • pudgy-penguinsPudgy Penguins (PENGU) $ 0.030638
  • ondo-financeOndo (ONDO) $ 1.33
  • injective-protocolInjective (INJ) $ 19.60
  • the-graphThe Graph (GRT) $ 0.199225
  • usual-usdUsual USD (USD0) $ 0.999107
  • dogwifcoindogwifhat (WIF) $ 1.79
  • rocket-pool-ethRocket Pool ETH (RETH) $ 3,738.63
  • worldcoin-wldWorldcoin (WLD) $ 2.02
  • kelp-dao-restaked-ethKelp DAO Restaked ETH (RSETH) $ 3,437.83
  • sei-networkSei (SEI) $ 0.395060
  • lido-daoLido DAO (LDO) $ 1.84
  • flokiFLOKI (FLOKI) $ 0.000170
  • coinbase-wrapped-btcCoinbase Wrapped BTC (CBBTC) $ 91,981.00
  • ai16zai16z (AI16Z) $ 1.45
  • quant-networkQuant (QNT) $ 106.76
  • jasmycoinJasmyCoin (JASMY) $ 0.031611
  • thorchainTHORChain (RUNE) $ 4.43
  • mantle-staked-etherMantle Staked Ether (METH) $ 3,508.94
  • lombard-staked-btcLombard Staked BTC (LBTC) $ 92,434.00
  • fasttokenFasttoken (FTN) $ 3.37
  • galaGALA (GALA) $ 0.033247
  • raydiumRaydium (RAY) $ 4.83
  • flare-networksFlare (FLR) $ 0.024726
  • beam-2Beam (BEAM) $ 0.025247
  • kucoin-sharesKuCoin (KCS) $ 10.98
  • makerMaker (MKR) $ 1,477.94
  • tezosTezos (XTZ) $ 1.28
  • pyth-networkPyth Network (PYTH) $ 0.358324
  • the-sandboxThe Sandbox (SAND) $ 0.526837
  • nexoNEXO (NEXO) $ 1.27
  • binance-staked-solBinance Staked SOL (BNSOL) $ 191.19
  • solv-btcSolv Protocol SolvBTC (SOLVBTC) $ 91,806.00
  • based-brettBrett (BRETT) $ 0.117975
  • renzo-restaked-ethRenzo Restaked ETH (EZETH) $ 3,432.57
  • eosEOS (EOS) $ 0.750968
  • curve-dao-tokenCurve DAO (CRV) $ 0.899920
  • kaiaKaia (KAIA) $ 0.192133
  • ethereum-name-serviceEthereum Name Service (ENS) $ 32.48
  • jupiter-exchange-solanaJupiter (JUP) $ 0.789721
  • flowFlow (FLOW) $ 0.685251
  • starknetStarknet (STRK) $ 0.461626
  • heliumHelium (HNT) $ 5.91
  • xdce-crowd-saleXDC Network (XDC) $ 0.069473
  • dydx-chaindYdX (DYDX) $ 1.45
  • arweaveArweave (AR) $ 15.74
  • msolMarinade Staked SOL (MSOL) $ 232.65
  • aerodrome-financeAerodrome Finance (AERO) $ 1.41
  • bittorrentBitTorrent (BTT) $ 0.000001
  • bitcoin-svBitcoin SV (BSV) $ 50.67
  • iotaIOTA (IOTA) $ 0.278722
  • coredaoorgCore (CORE) $ 1.06
  • neoNEO (NEO) $ 13.57
  • axie-infinityAxie Infinity (AXS) $ 6.04
  • jito-governance-tokenJito (JTO) $ 3.35
  • zcashZcash (ZEC) $ 58.38
  • elrond-erd-2MultiversX (EGLD) $ 33.19
  • ether-fi-staked-ethether.fi Staked ETH (EETH) $ 3,327.30
  • solv-protocol-solvbtc-bbnSolv Protocol SolvBTC.BBN (SOLVBTC.BB) $ 91,481.00
  • matic-networkPolygon (MATIC) $ 0.451448
  • aioz-networkAIOZ Network (AIOZ) $ 0.769617
  • decentralandDecentraland (MANA) $ 0.460142
  • apecoinApeCoin (APE) $ 1.17
  • wbnbWrapped BNB (WBNB) $ 694.13
  • wormholeWormhole (W) $ 0.296298
  • pendlePendle (PENDLE) $ 5.05
  • spx6900SPX6900 (SPX) $ 0.866155
  • mog-coinMog Coin (MOG) $ 0.000002
  • fartcoinFartcoin (FARTCOIN) $ 0.794443
  • arbitrum-bridged-wbtc-arbitrum-oneArbitrum Bridged WBTC (Arbitrum One) (WBTC) $ 91,871.00
  • l2-standard-bridged-weth-baseL2 Standard Bridged WETH (Base) (WETH) $ 3,336.91
  • usddUSDD (USDD) $ 0.997303
  • popcatPopcat (POPCAT) $ 0.768941
  • chilizChiliz (CHZ) $ 0.081627
  • eigenlayerEigenlayer (EIGEN) $ 3.50
  • dexeDeXe (DEXE) $ 12.88
  • arbitrum-bridged-weth-arbitrum-oneArbitrum Bridged WETH (Arbitrum One) (WETH) $ 3,334.32
  • conflux-tokenConflux (CFX) $ 0.153909
  • reserve-rights-tokenReserve Rights (RSR) $ 0.013404
  • pancakeswap-tokenPancakeSwap (CAKE) $ 2.46
  • jupiter-staked-solJupiter Staked SOL (JUPSOL) $ 199.41
  • gnosisGnosis (GNO) $ 272.42
  • zksyncZKsync (ZK) $ 0.188008
  • mina-protocolMina Protocol (MINA) $ 0.576797
  • akash-networkAkash Network (AKT) $ 2.79
  • roninRonin (RON) $ 1.84
  • binance-peg-dogecoinBinance-Peg Dogecoin (DOGE) $ 0.308817
  • peanut-the-squirrelPeanut the Squirrel (PNUT) $ 0.669001
  • echelon-primeEchelon Prime (PRIME) $ 13.01
  • compound-governance-tokenCompound (COMP) $ 74.82
  • ecasheCash (XEC) $ 0.000033
  • havvenSynthetix Network (SNX) $ 1.93
  • dydxdYdX (ETHDYDX) $ 1.45
  • fraxFrax (FRAX) $ 0.995490
  • mantle-restaked-ethMantle Restaked ETH (CMETH) $ 3,512.14
  • tether-goldTether Gold (XAUT) $ 2,597.73
  • ether-fi-staked-btcEther.fi Staked BTC (EBTC) $ 92,195.00
  • amp-tokenAmp (AMP) $ 0.007471
  • turboTurbo (TURBO) $ 0.009100
  • notcoinNotcoin (NOT) $ 0.006086
  • superfarmSuperVerse (SUPER) $ 1.38
  • gigachad-2Gigachad (GIGA) $ 0.064413
  • axelarAxelar (AXL) $ 0.672718
  • terra-lunaTerra Luna Classic (LUNC) $ 0.000106
  • susdssUSDS (SUSDS) $ 1.02
  • cat-in-a-dogs-worldcat in a dogs world (MEW) $ 0.006417
  • coinbase-wrapped-staked-ethCoinbase Wrapped Staked ETH (CBETH) $ 3,614.46
  • dog-go-to-the-moon-runeDog (Bitcoin) (DOG) $ 0.005660
  • layerzeroLayerZero (ZRO) $ 5.08
  • oasis-networkOasis (ROSE) $ 0.083486
  • grassGrass (GRASS) $ 2.29
  • livepeerLivepeer (LPT) $ 14.95
  • ordinalsORDI (ORDI) $ 26.15
  • beldexBeldex (BDX) $ 0.078897
  • paypal-usdPayPal USD (PYUSD) $ 1.00
  • 1inch1inch (1INCH) $ 0.382033
  • kusamaKusama (KSM) $ 32.78
  • pax-goldPAX Gold (PAXG) $ 2,618.33
  • chex-tokenCHEX Token (CHEX) $ 0.516829
  • vanaVana (VANA) $ 16.78
  • apenftAPENFT (NFT) $ 0.00000052
  • aixbtaixbt by Virtuals (AIXBT) $ 0.514246
  • usdx-money-usdxusdx.money USDX (USDX) $ 0.994135
  • blurBlur (BLUR) $ 0.240285
  • safeSafe (SAFE) $ 0.984071
  • nervos-networkNervos Network (CKB) $ 0.011039
  • baby-doge-coinBaby Doge Coin (BABYDOGE) $ 0.00000000
  • bitcoin-avalanche-bridged-btc-bAvalanche Bridged BTC (Avalanche) (BTC.B) $ 91,901.00
  • true-usdTrueUSD (TUSD) $ 1.00
  • frax-etherFrax Ether (FRXETH) $ 3,324.44
  • kavaKava (KAVA) $ 0.450672
  • usualUsual (USUAL) $ 0.991462
  • pumpbtcpumpBTC (PUMPBTC) $ 91,017.00

We can’t afford to repeat the mistakes exposed by the WazirX hack

0 52

We can’t afford to repeat the mistakes exposed by the WazirX hack

  blockworks.co 29 August 2024 13:40, UTC

We can’t afford to repeat the mistakes exposed by the WazirX hack

Not many are willing to admit that Web3 is overly reliant on hybrid security systems that are more susceptible to sophisticated attacks. The recent breach at WazirX serves as a stark reminder of these vulnerabilities. Attackers exploited weaknesses in the transaction verification processes, revealing significant flaws in how these systems handle security.

Now, it is up to us to reimagine and reinforce our security infrastructures with robust transaction authenticity validation and multi-party computation (MPC) algorithms at the forefront. Otherwise, we risk ongoing exposure to attacks that could one day erode trust in digital assets.

On July 18, 2024, Indian crypto exchange WazirX experienced a significant security breach resulting in the theft of $230 million worth of assets. Attributed to North Korean hackers by blockchain investigation firm Elliptic and independent security researchers, this advanced attack alarmed the cryptocurrency community by revealing serious vulnerabilities in multi-signature wallets (even in advanced security systems). But such incidents can be great learning moments to help organizations fortify their defenses against similar threats.

Understanding the attack

The compromised wallet was a Gnosis Safe wallet imported into Liminal’s wallet management system, configured for a 4/6 signature threshold. Standard transaction signing required approval from three WazirX signatories using Ledger hardware wallets, followed by final approval from Liminal’s signatory. However, attackers likely compromised the three WazirX signer machines. If Liminal had been compromised, we would have witnessed more attacks, but this was the only Liminal-related incident. By exploiting a gap between the blind-signing on Ledger hardware devices and the Liminal web app, the threat actor managed to manipulate transaction payload before being signed. This essentially created a discrepancy between the data shown on the web interface and what was actually signed by the hardware devices.

The attackers’ strategy involved switching the payload to a malicious one each time a transaction was attempted. Despite the Liminal system rejecting the malformed malicious transactions, the attackers managed to collect the three valid signatures from the co-signers. With these signatures, they obtained the fourth from Liminal’s co-signer, making the transaction valid and allowing them to alter the implementation contract of the Safe wallet to a malicious one. The result saw them gaining full control and transferring the funds to their own wallet.

Working together to eliminate the threat

The WazirX attack highlighted several critical vulnerabilities. The hybrid setup between WazirX, Liminal, Ledger and Safe lacked robust transaction authenticity validation, exposing it to a man-in-the-middle attack. The reliance on blind-signing worsened this weakness.

Implementing proper end-to-end trust verification could have mitigated this attack. While relying on a multi-device setup is always preferred, transaction decoding has to show on the signing device and be accessible to the signer — in order to mitigate blind-signing.

Furthermore, a MPC algorithm could have mitigated this risk. True MPC ensures that even if attackers gain control over all customer signing devices, transactions cannot proceed without all co-signers’ approval, thus rendering the “sequential signature collection” attack impossible. This structural safeguard offers a defense against on-the-fly transaction manipulation.

Additionally, real-time risk assessments and anomaly detection systems can flag unusual transaction patterns, enabling swift intervention before transactions are executed. These proactive strategies are essential for identifying and addressing threats preemptively.

This event also teaches us the importance of collaboration and information sharing within the industry. Crypto exchanges and custodians must work together to share insights and threat intelligence to strengthen their defenses. Establishing industry-wide protocols and best practices can create a united front against attacks.

Read more from our opinion section: DeFi is the future (and a hack can’t convince me otherwise)

It is everyone’s job to stay informed about emerging threats and share experiences to help develop better defense mechanisms. Regulatory bodies also have a role in ensuring that exchanges follow strict security standards and practices.

Building a resilient future

The WazirX hack is an industry-wide call for stronger wallet setups and comprehensive security protocols. Regular security audits and penetration testing can uncover vulnerabilities, while continuous monitoring and updated security measures ensure defenses remain strong against new threats.

This incident highlights the need for ongoing improvement within security protocols. By learning from breaches like the WazirX hack to implement more resilient systems, exchanges and custodians can better protect their assets and maintain user trust.

As an industry, we should use the hack as a reminder of the ever-present threats in the crypto space. It is possible to build a more secure future for digital assets, but the path forward requires a firm commitment to security — ensuring that such incidents become rare exceptions rather than common occurrences. Lessons learned should ideally propel the industry toward a stronger and safer future, protecting digital assets for years to come.

Source

Leave A Reply

Your email address will not be published.