Following our initial communication on July 19, we are providing additional details about the security incident. The recent security breach suffered by WazirX, underscores the urgent need for robust security measures and investor protection across the industry. On July 18, 2024, Liminal was notified of a security incident involving a self-custody multi-signature smart contract wallet belonging to one of our customers, WazirX. This wallet, independently created and subsequently imported onto the Liminal platform, was compromised on July 18. Our preliminary investigation points to a customer level compromise via a sophisticated intrusion.
We want to unequivocally state that Liminal’s platform, infrastructure, wallets, and assets remain completely secure. Our operations have not been disrupted, and we continue to process transfers and withdrawals for all customers without interruption. Additionally, the impacted customer continues to hold significant funds in Liminal wallets indicating the resilience of our platform. While it is premature to have any conclusion, it is important to focus on completing a thorough investigation. To that effect and towards our commitment to uphold the highest standards of transparency, Liminal has proactively engaged independent CERT-certified, third-party experts to conduct thorough forensic audits which will be backed by published reports. Alongside we also continue to be engaged with relevant authorities. As a wallet infrastructure support platform, we emphasize that this incident originated from an external source, underscoring the crucial need for comprehensive security measures across platforms to minimize risk.
A Closer Look at Liminal’s Custody Services: It is important to clarify that the product in question for this incident is our self-custody wallet infrastructure, wherein a majority of the private keys that control and operate the wallets remain with our clients on their infrastructure. In this product, Liminal can never initiate a transaction. Transactions always originate at our client’s end. With this setup our clients are the custodians of the user assets and are responsible for having proper security measures, a secure infrastructure setup and insurance in place. We also assist our self-custodial wallet infrastructure clients who want to get insurance, by connecting them with some of the best insurance providers globally.
Liminal Custody primarily offers two primary services:
- Self Custody Wallet Infrastructure (the one used by WazirX)
- Custody Wallet Infrastructure
See below for an overview of how Self-Custody Vs Custody Infrastructures work generally:
Particulars | Self-Custody Wallet Infrastructure (used by WazirX) | Custody Wallet Infrastructure |
---|---|---|
Private Key Management | Majority of the keys are operated and managed by the client and Liminal has one signer key. | ALL the keys are created, owned and operated by our custody platform |
Insolvency Risk | Liminal provides a full recovery kit to the client that can be used by clients to protect themselves against any insolvency event on Liminal’s side. However, Liminal only protects its client and this does not provide any protection to end users from an insolvency at the client’s end. | Liminal’s custody platform business is built on a Legal Trust Structure where all user funds (client and end user) are held in trust and in case of insolvency, all the users continue to have 1:1 rights on the funds. |
Rehypothecation | Due to zero control on keys, Liminal cannot guarantee any protection from rehypothecation of user funds. Whether the platform rehypothecates (or lends) user assets, depends on the platform and is typically mentioned in their terms of service. | Protection from Rehypothecation since Liminal controls all keys and only does the single task of safekeeping (no trading, leverage, etc whatsoever) |
Infrastructure Security | Majority of keys are on clients’ infrastructure and one key is with Liminal. Client is responsible to have robust security measures in place to protect their side of keys while Liminal protects their signer. | ALL keys with Liminal and Liminal retains complete control and onus of security protocols. |
Cybersecurity and Risk | Majority of the keys are with the client and it is the client’s responsibility to ensure there are adequate risk management protocols in place to safeguard the majority keys. Liminal’s responsibility is to ensure risk management for its key. | Complete accountability rests with Liminal as all keys are on Liminal’s infrastructure. |
Insurance Risk on Key Management | Client’s responsibility and premium cost is borne by the client as the client is the custodian of the end user’s assets. | Liminal’s responsibility and premium cost is borne by Liminal. |
In an industry marked by volatility and sensational headlines, it’s easy for lesser-known players like Liminal to be misconstrued. Our focus has always been on delivering exceptional security and Liminal is a company built on a foundation of trust, compliance, and customer centricity. We operate under the highest standards, holding licenses in multiple jurisdictions, which is a testament to our commitment to regulatory adherence and our security mindset. As a security and compliance driven entity, our dedication is to long-term success and we hold international security certifications, including CCSS Level-3 QSP, ISO 27001 & 27701, and others, which underscore our unwavering commitment to security.
Liminal remains steadfast in our commitment to safeguarding our customers’ assets and upholding the highest standards of security.
Please watch this space for more information.
Disclosures & Disclaimer
Liminal Custody is a compliant and insured digital asset custody and wallet infrastructure provider. Launched in April 2021, Liminal Custody is a CCSS Level 3 and ISO 27001 & 27701 certified organisation. Based in Singapore, Liminal Custody has operations spread across APAC MENA and Europe, along with offices in Singapore, India and UAE. Presently the company has received FSP licence from FSRA in ADGM and has Initial Approval(IA) from VARA. Liminal Custody takes pride in supporting businesses with its regulated and insured digital asset custody platform that enables stress-free safekeeping of digital assets for institutions. It also provides a cutting-edge wallet infrastructure platform that is secure, compliant and automated and comes with a plug-and-play architecture for faster onboarding of developers, business partners and government agencies.
This incident report is provided solely for informational purposes. Liminal accepts no liability for actions taken based on the information contained herein. The content of this report is based on the data available at the time of its creation and should not be construed as a legal determination of fault or responsibility. Liminal explicitly disclaims any warranties or guarantees, expressed or implied, regarding the information’s accuracy, completeness, or reliability. The report should not be used as the sole basis for any decision-making. All readers are advised to seek independent judgment to address specific concerns and conduct thorough investigations