Globally renowned auditor Grant Thornton (ranked 6th globally) has conducted a comprehensive review of the key components of Liminal’s infrastructure and concluded that the attack has originated outside of Liminal’s infrastructure.
Detailed Overview
At Liminal, we remain steadfast in our commitment to providing a secure and reliable platform for our customers and users. In the wake of the incident on July 18th, 2024, pertaining to the security incident involving one of our Singapore customers, our Singapore entity has been conducting extensive reviews to thoroughly investigate the matter. Our two-pronged approach has involved in-house examinations as well as engaging renowned, independent third-party auditors to conduct comprehensive reviews of our infrastructure. While we await an end-to-end review from our auditors, the sequential reviews so far have yielded some key findings:
- Inconsistencies in Data Payload: The mismatch between the data payloads that were created by our system and the data payloads which were received from the client’s system indicated two potential possibilities: that the compromise could have originated either at the client’s infrastructure or from within our frontend systems. This needed to be investigated further.
- Independent Audits Affirm Security of Liminal’s Frontend and UI: To investigate these discrepancies, we enlisted the services of several reputable auditors, including Grant Thornton – a top ranked audit company (ranked 6th globally). Their detailed review of our infrastructure has concluded that Liminal’s User Interface (UI), frontend and backend infrastructure remain uncompromised.
Grant Thornton conducted a detailed assessment of Liminal’s infrastructure and have informed us that Liminal’s frontend and backend infrastructure is secure, with no evidence of any compromise or vulnerabilities related to the transaction workflow.
The fact that our platform continues to process millions of dollars worth of assets securely and seamlessly processes transactions and withdrawals is a clear testament to the integrity of our platform.
- Issue Likely Originated Outside Liminal’s Infrastructure: Based on these findings, the likelihood of the issue originating from outside Liminal’s infrastructure and systems has increased. We reiterate that the product in question for this incident is our self-custody wallet infrastructure, wherein a majority of the private keys that control and operate the wallets remain with our clients on their infrastructure. In this product, Liminal can never initiate a transaction and all transactions always originate at our client’s end first.
At our end, we continue to press further with our investigations in order to conclusively rule out any other indicators of compromise within our infrastructure and devices. As part of our standard security protocols, both our internal and external teams are continuously engaged in screening all related as well as unrelated (to the incident) critical aspects of our platform.
In Summary
Liminal team has been hard at work conducting reviews that involve in-house examinations, alongside in-depth analyses by renowned independent auditors, providing a comprehensive and unbiased evaluation of Liminal’s security posture. Our unwavering focus on security and transparency remains our top priority and we are committed to keeping our platform robust and secure. Needless to say, we are further strengthening our security posture.
At Liminal, our focus remains steadfast on delivering a secure and trustworthy service that our community can rely on. We are grateful for the ongoing support and understanding of our users, and we are committed to emerging from this incident stronger and more resilient than ever before.
Our team has been working tirelessly to evaluate several scenarios to make Liminal more secure than ever before. We will continue to provide regular updates on the progress of our investigation.
Disclosures & Disclaimer
Liminal Custody is a compliant and insured digital asset custody and wallet infrastructure provider. Launched in April 2021, Liminal Custody is a CCSS Level 3 and ISO 27001 & 27701 certified organisation. Based in Singapore, Liminal Custody has operations spread across APAC MENA and Europe, along with offices in Singapore, India and UAE. Presently the company has received FSP licence from FSRA in ADGM and has Initial Approval(IA) from VARA. Liminal Custody takes pride in supporting businesses with its regulated and insured digital asset custody platform that enables stress-free safekeeping of digital assets for institutions. It also provides a cutting-edge wallet infrastructure platform that is secure, compliant and automated and comes with a plug-and-play architecture for faster onboarding of developers, business partners and government agencies.
This incident report is provided solely for informational purposes. Liminal accepts no liability for actions taken based on the information contained herein. The content of this report is based on the data available at the time of its creation and should not be construed as a legal determination of fault or responsibility. Liminal explicitly disclaims any warranties or guarantees, expressed or implied, regarding the information’s accuracy, completeness, or reliability. The report should not be used as the sole basis for any decision-making. All readers are advised to seek independent judgment to address specific concerns and conduct thorough investigations.
by Liminal
by Liminal