Just days after one of the largest centralized exchange hacks of 2024, the cryptocurrency community is still reeling from the scale and sophistication of the WazirX breach. On July 18, attackers drained approximately $235 million from India’s largest domestic cryptocurrency exchange, exposing critical weaknesses in multi-signature wallet infrastructure that had been considered industry standard. As Bitcoin trades at $68,154 and Ethereum holds steady at $3,536, the incident serves as a stark reminder that even well-funded exchanges remain vulnerable to determined adversaries.
The Exploit Mechanics
The attack on WazirX targeted an Ethereum hot wallet managed through Liminal Custody’s digital asset custody infrastructure. According to public statements from the exchange, the attackers exploited the multi-signature authorization process itself rather than breaking cryptographic protections. The hacker persuaded multiple current signatories to modify a smart contract that governed transaction approvals, effectively replacing the legitimate authorization logic with one controlled by the attacker.
This social engineering component proved to be the critical vulnerability. Rather than attempting a brute-force attack on the wallet’s encryption, the attackers manipulated the human element in the multi-sig approval chain. By the time the breach was detected at 06:19 UTC on July 18, the attacker had already begun draining tokens from the compromised wallet address.
The stolen assets represented approximately 50% of WazirX’s total holdings, amounting to over INR 1,900 crores. The attacker systematically converted stolen tokens into ether across dozens of wallets and chains, using anonymity-focused exchanges and wrapped tokens to obscure the origin of funds.
Affected Systems
The breach primarily affected WazirX’s Ethereum-based hot wallet, which stored a diverse range of ERC-20 tokens and ether. The multi-signature setup, managed in partnership with Liminal Custody, was designed to prevent exactly this type of unauthorized withdrawal. However, the attack demonstrated that even well-architected custody solutions can be compromised when the approval mechanism itself is subverted.
WazirX immediately froze all trading and withdrawals on the platform in response to the attack. The exchange, founded in 2018 by Nischal Shetty, Siddharth Menon, and Sameer Mhatre, had built a reputation for pro-compliance and regulatory transparency, regularly publishing AML reports and compliance updates.
The Mitigation Strategy
In the aftermath, blockchain analytics firms moved quickly to track the stolen funds. Crystal Intelligence blocklisted the destination address within 29 minutes of the initial attack at 06:48 UTC. WazirX managed to freeze approximately $3 million of the stolen assets through coordinated efforts with other exchanges and custody providers.
The broader mitigation response highlighted several key areas where the industry needs improvement. First, multi-signature wallet implementations must incorporate time-locks and delayed execution for high-value transfers. Second, custody providers need independent verification mechanisms that cannot be bypassed through social engineering of existing signatories. Third, real-time monitoring systems must be capable of detecting anomalous contract modifications before funds can be moved.
Lessons Learned
The WazirX hack carries several critical lessons for the entire cryptocurrency ecosystem. Multi-signature wallets, while superior to single-key setups, are only as secure as their authorization logic. When attackers can modify the smart contract governing approvals, the number of required signatures becomes irrelevant. The incident also underscores the persistent risk of third-party custody arrangements, where security depends on both the exchange and the custody provider maintaining robust controls simultaneously.
For users, the lesson is clear: not your keys, not your coins. Even exchanges with strong compliance records and sophisticated custody partners can fall victim to determined attackers. The $235 million lost represents real user funds that may never be fully recovered.
User Action Required
If you held funds on WazirX, monitor official communications from the exchange regarding the recovery process and any planned compensation mechanisms. For all cryptocurrency users, this incident should prompt a reassessment of how much of your portfolio is held on centralized exchanges versus in self-custody solutions. Hardware wallets combined with properly secured seed phrases remain the strongest defense against exchange-level breaches. Additionally, consider diversifying across multiple exchanges and custody solutions rather than concentrating assets in a single platform.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
social engineering to modify the smart contract itself is next level. not a hack in the traditional sense, more like a con
deadcatbounce is correct. this was a confidence scheme not a hack. the distinction matters for insurance and legal purposes too
Liminal Custody needs to explain how multiple signatories were persuaded. That is the real scandal here.
Fatima asking the right question. how do multiple signatories get persuaded to change contract logic without anyone raising a flag internally
persuading multiple signatories to change the authorization logic is an inside job until proven otherwise. too coordinated for external
multisig_ghost coordinated social engineering on multiple signatories simultaneously. either inside job or the attacker had intimate knowledge of internal processes
persuading signatories to change the contract logic sounds like inside job territory tbh
Liminal custody needs to publish a full post-mortem. $235M and all we got was vague statements about modified smart contracts
Liminal published a vague blog post and thats it. $235M gone and the custody provider owes everyone a full post-mortem
haruki liminal published a blog post that basically said we are investigating. 235M gone and the custody provider went into corporate hiding mode