Audit finds $230M WazirX hack originated outside Liminal Custody

An independent audit by Grant Thornton found no evidence that Liminal Custody’s infrastructure was involved in the $230 million WazirX attack.

Grant Thornton’s audit found that Singapore-based crypto custodian Liminal Custody was not the primary source of the $230 million attack on WazirX, with the company noting in a September 9 blog post that the breach originated “outside Liminal’s infrastructure.”

The breach, which occurred in July, allowed attackers to steal more than $230 million worth of cryptocurrencies.

WazirX, which has since moved its assets to new multi-signature wallets, initially pointed to discrepancies between Liminal’s interface and transaction data. However, an audit by Grant Thornton reportedly found no evidence of compromise in Liminal’s infrastructure, but Liminal Custody did not publicly share its audit findings.

“Grant Thornton conducted a detailed assessment of Liminal’s infrastructure and reported that Liminal’s front- and back-end infrastructure is secure, with no evidence of any compromises or vulnerabilities related to the transaction workflow.”

Liminal Detention

No violation by Liminal

Liminal emphasized that discrepancies between the data payloads generated by its system and those received from the customer suggested there could be two possible sources of the breach: vulnerabilities in the customer’s infrastructure or the maintainer’s front-end systems. The company added that it was still awaiting “an end-to-end review from our auditors.”

The company noted that its multi-signature wallet model ensures that client keys remain with clients, adding that users “can never initiate a transaction and all transactions always start on the client side first.”

Following the attack, WazirX attempted to implement a “socialized churn strategy” that would see users access 55% of their funds, with the remaining 45% held in Tether (USDT) equivalent tokens on the exchange. However, the proposal was met with widespread outrage, with users accusing the exchange of trying to avoid taking full responsibility for losses from the attack. WazirX was later forced to back away from the plan, requesting more time to work on a solution.