As the Web3 community grapples with the affected exchange’s submission of 240,000 wallet addresses to the Singapore court, there is a noticeable confusion on Liminal’s role in the matter. The exchange’s exhaustive submission spanning 1100 odd pages has sparked intense debate and concern within the cryptocurrency ecosystem. While this extensive data disclosure has been widely criticized as a potential disinformation campaign designed to confuse both users and legal authorities, we have also been approached to clarify information and our role in this matter. Given the gravity of the situation and our commitment to transparency, we believe it’s crucial to address these misconceptions head-on and provide verified, factual information about our involvement.
We urge the community to critically evaluate the information provided by all parties involved and to rely on verified sources. Our goal is to maintain the integrity of the Web3 ecosystem and to ensure that users have access to accurate and reliable information.
The 240,000 Wallet Addresses
Like most in the industry, we too have combed through the list of the 240,000 wallet addresses shared by WazirX. As stated by several other notable individuals as well, a majority of these addresses are hot wallets, while a handful are the warm / cold wallets that were managed through Liminal’s infrastructure. These handful wallets held all the balance funds of approximately USD 300 million for several days and approx USD 177 million for several months after the incident.
As stated previously as well, Liminal’s contractual relationship with WazirX was for a software subscription service for Liminal’s Self-Custody infrastructure platform. Within this service, Liminal was providing WazirX with cold / warm wallets (barring one low balance hot wallet), totaling to a handful of wallets that held a variety of assets. WazirX was not using several Liminal infrastructure offerings including, hot wallets, which would have created thousands of wallets within Liminal’s infrastructure and smart refill transactions feature, which could have prevented usage of cold wallets for refill and eventually the cold wallet signatures from getting leaked.
WazirX’s Ongoing Use of Liminal’s Infrastructure
As an immediate response to the breach, WazirX blamed Liminal Custody and made media announcements on August 14, 2024 stating that it had ‘terminated’ its contract with Liminal. However, far from this posturing WazirX continued to use Liminal’s infrastructure to access and manage their remaining user funds. Even 75 days after the hack, WazirX was still holding over USD 175 Million in assets on Liminal’s platform. In fact, despite their accusations, as of today, approximately USD 50 Million of their user assets continue to remain on wallets accessed via Liminal Infrastructure. Again, as a Self-Custody holder, Liminal cannot transfer nor initiate any transaction pertaining to WazirX funds and only the WazirX team can initiate transactions on their wallets. As a responsible company we have clarified this position and situation to incoming media requests and authorities as requested; and in the interest of the community, we have also extended sufficient support for them to withdraw their funds.
Radiant Capital Hack Comparison
Another recent security incident: the Radiant Capital incident has the exact same modus operandi as the WazirX incident. Both cases share exactly similar attack vectors of three signers using ledger devices, multi-sig smart contract wallets, signature mismatches, transaction rejection errors and smart contract wallet upgrades to seize control. However, the Radiant Capital hack also serves as a stark study in contrasting organizational responses to security breaches. Radiant Capital demonstrated exemplary transparency by promptly acknowledging that their signatories were using a UI interface as well as a transaction simulator to ensure accurate instructions were provided at their end, however, the transaction information was maliciously updated by a malware injection on their devices which were compromised. While their signers also relied on the UI and frontend checks, their thorough disclosure revealed that the breach was nowhere related to front-end or UI vulnerabilities but from compromised device infrastructure used for hardware wallet connections, allowing attackers to intercept and manipulate legitimate transactions at the point of signing via cold wallets. Read their detailed post mortem report here: https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081
In marked contrast, rather than sharing a detailed post mortem, WazirX instead chose to eschew responsibility by publicly attributing blame to Liminal through a social media post mere hours after the breach – a post they later retracted. This impulsive finger-pointing, combined with their persistent lack of transparency and accountability, continues to not only muddy the waters but has also inflicted lasting damage to industry trust and security protocols.
In Summary
Throughout this challenging period, Liminal Custody has maintained a measured approach, choosing careful evidence-based communication over hasty responses. However, after 90 days of witnessing WazirX’s persistent disinformation campaign, we feel compelled to take a firmer stance. While we have historically preferred to let our work speak for itself, we cannot allow misleading narratives to go unchallenged when they threaten the integrity of our industry and the trust of our stakeholders.
Our commitment to excellence and user safety remains unwavering, as is our responsibility to protect our reputation and the interests of our clients and partners. Moving forward, we will continue to address false narratives with facts, ensuring that truth prevails over deliberate attempts at manipulation. The cryptocurrency ecosystem thrives on trust and transparency – principles we will steadfastly defend.
by Liminal
by Liminal