An independent audit by Grant Thornton found no evidence that Liminal Custody’s infrastructure was involved in the $230 million WazirX hack.
Grant Thornton’s audit found that Liminal Custody, the Singapore-headquartered crypto custodian, was not the main source for the $230 million hack of WazirX, indicating the breach has originated “outside of Liminal’s infrastructure,” the company said in a Sept. 9 blog post.
The breach, which occurred in July, allowed attackers to siphon off more than $230 million in cryptocurrencies.
WazirX, which has since moved its assets to new multi-signature wallets, had initially pointed to discrepancies between Liminal’s interface and transaction data. However, an audit by Grant Thornton reportedly found no evidence of compromise in Liminal’s infrastructure, though Liminal Custody has not publicly shared the audit findings.
“Grant Thornton conducted a detailed assessment of Liminal’s infrastructure and have informed us that Liminal’s frontend and backend infrastructure is secure, with no evidence of any compromise or vulnerabilities related to the transaction workflow.”
Liminal Custody
No breach from Liminal side
Liminal highlighted that discrepancies between the data payloads generated by its system and those received from the client suggested two possible sources for the breach: either vulnerabilities within the client’s infrastructure or the custodian’s frontend systems. The company added that it is still awaiting an “end-to-end review from our auditors.”
The company noted that its multi-signature wallet model ensures that client keys remain with customers, adding that users “can never initiate a transaction and all transactions always originate at our client’s end first.”
Following the exploit, WazirX tried to institute a “socialized loss strategy,” which would have seen users access 55% of their funds with the remaining 45% held by the exchange in Tether (USDT) equivalent tokens. However, the proposal was met with widespread outrage, with users accusing the exchange of trying to avoid taking full responsibility for the losses incurred from the hack. Subsequently, WazirX was forced to backtrack on the plan, asking for more time to work on a resolution.