Multisig wallets are used to safely and securely store user assets.
This is a common practice adopted by various TOP crypto exchanges. But what is a multisig wallet?
What is a multisig wallet?
Think of it as a digital vault that needs multiple keys to unlock. Unlike a regular crypto wallet, where one key is enough to authorize transactions, a multisig wallet requires approval from several designated users—typically something like 3 out of 5 or 4 out of 6 signatures—to get the job done.
This extra layer of security makes multisig wallets a go-to choice for exchanges or groups. By requiring consensus from multiple parties, it significantly reduces the risk of unauthorized transactions. However, they are not without risks.
If the private keys aren’t properly managed or are distributed through a flawed protocol, the security of a multisig wallet can be compromised. And if a malicious actor gets their hands on even one of those keys—like what happened with WazirX and Liminal—the consequences can be severe, potentially leading to the loss of access or even complete loss of funds.
Let’s explore what happened in the WazirX-Liminal situation.
On July 18, a major security breach shocked the crypto world, targeting one of WazirX’s multisig wallets under the management of Liminal Custody.
WazirX, one of India’s leading cryptocurrency exchanges, had placed its trust in Liminal Custody—a well-known name in crypto wallet custody services. With nearly $230 million in digital assets under Liminal’s care, the platform was seen as a fortress of security. However, despite Liminal’s stringent security measures and strict whitelisting policies, hackers exploited a vulnerability and stole over $230 million in crypto.
This incident marks a significant chapter in the crypto narrative, especially in India, and will undoubtedly be remembered when people talk about the grand theft of crypto assets.
So, how did the breach happen?
WazirX and Liminal didn’t mess around when it came to security—they built a rock-solid system with six signatories overseeing every transaction.
Five were trusted WazirX signatories, while Liminal held the power of the sixth. Here’s how it worked: first, three WazirX signatories had to give the green light. Then, the transaction went to Liminal for a final, meticulous sign-off. No shortcuts, just airtight checks at every step.
However, despite these stringent security measures, hackers reportedly found a flaw in Liminal’s interface. They exploited this vulnerability, manipulating backend details and bypassing the strict whitelisting process to safeguard the multisig wallet.
Any undergoing forensic analysis?
Following the cyber attack on WazirX’s multisig wallet, WazirX quickly took decisive action. They kept their users informed at every stage, worked closely with law enforcement, filed an FIR, and enlisted a globally renowned cybersecurity firm to conduct a thorough forensic investigation. After a month of detailed analysis, the firm stated, “We did not find evidence of compromise on the three laptops used for signing transactions.”
In stark contrast, Liminal Custody stated on Monday, September 9, that an independent audit conducted by Grant Thornton has cleared them of any involvement in the $230 million cyberattack that occurred on July 18, 2024. According to Liminal Custody, the breach of the multi-signature (multi-sig) wallet was most likely due to vulnerabilities at WazirX’s end, not their own.
In this article, we have been discussing a multisig wallet and how it was compromised. But the question is how to ensure optimal security with a multisig wallet. Let’s find out.
How to ensure optimal security with a multisig wallet?
First, the key to securing a multisig wallet lies in how you distribute those all-important private keys. You’ll want to make sure they’re shared among trusted parties and stored with the utmost care. The transaction threshold should be set high enough so that your wallet remains safe even if one or two keys are compromised.
Another smart move? Keep those private keys geographically or virtually separated. This way, it’s much harder for anyone to get their hands on multiple keys at once.
End-to-end encryption during wallet creation and key distribution is also essential. Ideally, you should share private key data with several trusted individuals, each storing their portion separately.
The way you store your wallet matters, too. While hot storage (cloud-based solutions) might seem convenient, it also increases your exposure to online threats. On the other hand, cold storage or encrypted hardware devices offer a much more secure alternative, drastically lowering the risk of hackers getting their hands on your private keys.
Finally, consider working with trusted third parties for data storage or consulting with security experts before setting up your wallet and generating those keys. This can provide that extra layer of assurance that your multisig wallet is as secure as possible. Yes, a trusted third party who understands the importance of owning up to their mistakes in case a discrepancy happens.
Any latest developments in the $230 million cyberattack?
In the wake of the cyberattack, Zettai Pte Ltd. filed a Moratorium Application in Singapore’s High Court. This move is designed to buy time, allowing Zettai the breathing room to develop a restructuring plan.
A moratorium isn’t just a simple pause; it’s a legal shield that prevents creditors from taking action against Zettai while it figures out a solution. For users, this means they won’t be able to withdraw their crypto from the platform for now. While it may not be the outcome users hoped for, this could be the quickest path to recovery.
Though the moratorium might not be what users had in mind, it could be their best bet. As the process unfolds, users must decide whether to support this strategy for their best interest.