Walkthrough — WazirX Hack
On 18th July 2024, reports surfaced regarding a breach in WazirX’s security and a hack. Details initially remained sketchy, but it soon became evident that there has been a hack and fund transfer of $234 Million digital assets.
As per report of Cyvers (a web3 cybersecurity company), WazirX had 50% of user funds in this hot wallet which was compromised.
Breakdown of Hacked Assets
SHIB — $96.7 M
ETH — $52.6 M
MATIC — $11M
PEPE — $7.6M
USDT — $5.7M
FLOKI — $4.7M
OTHERS — $56.7 M
Addresses associated with the Hacker:
0x6EeDF92Fb92Dd68a270c3205e96DCCc527728066 0x04b21735E93Fa3f8df70e2Da89e6922616891a88 0x35febC10112302e0d69F35F42cCe85816f8745CA 0x90ca792206eD7Ee9bc9da0d0dF981FC5619F91Fd 0x361384e2761150170D349924A28d965f0Dd3F092
Bounty
Arkham announced a bounty of 5000 ARKM token on Arkham Platform for anyone who will fulfil any of the below 3 conditions:
- Identifying a KYC centralized exchange deposit
- Revealing the identity of the exploiter
- Successful efforts to return funds
The bounty was claimed by Investigations By ZachXBT (X handle — @ZachXBT) by submitting a definitive proof of a KYC-linked deposit address used by the exploiter. The deposit address in found to be of Binance.
TTP (Tactic, Techniques & Procedures) Used by the Hackers
The whole hack seems to be started 8 days ago from the day when funds were transferred.
Initial Access
Attacker somehow phished the malicious Smart Contract into WazirX’s actual deployment code. Waited till WazirX pushed this malicious smart contract to Ethereum Blockchain instead of their original smart contract. MultiSig wallets are upgraded from time to time by deploying the upgraded smart contracts onto the blockchain.
Privilege Escalation
Attacker used “data to delegate” call to delegate the permission to their own smart contract hosted on ETH blockchain. Now, they had permission to change the data in WazirX’s MultiSig wallet smart contract.
Lateral Movement & Credential Access
To test, the attacker sent SHIB worth of $10 and $29 USDT, and this was 8 days ago from the day of fund transfer.
WazirX uses 6 keys for their MultiSig wallet, out of which at least 3 are needed to sign for successful transaction. By doing these above transactions, the attacker collected the sign.
Exfiltration
Now, the attacker has the permission to change the WazirX’s wallet smart contract and also have the sign. The attacker changed the code in the WazirX Wallet Smart Contract using the collected sign, because of which now there is no need of any sign for any transaction. The attacker transferred all funds on 18th July after getting the initial access 8 days ago.
The entity behind this hack is found to be North Korea’s Lazarus Group. WazirX has released their preliminary report which can be found on the below link:
Preliminary Report: Cyber Attack on WazirX Multisig Wallet — WazirX Blog
