On July 18, Indian cryptocurrency exchange WazirX was hacked and its multi-signature wallet on the Ethereum network was stolen. A total of $234.9 million was transferred to new addresses, and the caller of each transaction was funded by Tornado Cash.
Subsequently, WazirX officially responded to the theft on X: “We have noticed that one of our multi-signature wallets has suffered a security vulnerability. Our team is actively investigating the incident. In order to ensure the safety of user assets, INR and cryptocurrency withdrawals will be temporarily suspended, and further updates will be provided in the future.”
What assets were stolen?
Later, according to Lookonchain monitoring, the Indian crypto trading platform WazirX had about $230 million in stolen assets, mainly involving:
5.43 trillion SHIBs (about $102 million);
15,298 ETH (about $52.5 million);
20.5 million MATIC (about $11.24 million);
640.27 billion PEPE (about $7.6 million);
5.79 million USDT;
135 million GALA (about 3.5 million US dollars), etc.
Image source: Lookonchain
Tracking the flow of funds
Address detection
According to on-chain analyst Ember, these stolen assets are being sold for ETH through the addresses 0x35f...5ca (WazirX Exploiter 2) and 0x90c...1fd (WazirX Exploiter 3), and then the ETH is transferred to the address 0x361...092 (WazirX Exploiter 4).
Stolen assets storage address (WazirX Exploiter 1):
https://debank.com/profile/0x04b21735e93fa3f8df70e2da89e6922616891a88/history
On-chain asset sale address (WazirX Exploiter 2/3):
https://debank.com/profile/0x35febc10112302e0d69f35f42cce85816f8745ca
https://debank.com/profile/0x90ca792206ed7ee9bc9da0d0df981fc5619f91fd
ETH storage address obtained from selling assets (WazirX Exploiter 4):
https://debank.com/profile/0x361384e2761150170d349924a28d965f0dd3f092
The transfer path of stolen assets, source: Embers
Tracking asset sales
2024-07-18 16:19
Possibly affected by the news that "WazirX's stolen assets involved SHIB worth more than 100 million US dollars", SHIB fell by more than 5% in a short period of time and was temporarily reported at 0.00001758 US dollars.
2024-07-18 16:41
The WazirX attacker has started selling SHIB and has sold $618,000 worth of SHIB so far, leaving $95.45 million worth of SHIB.
Investigation progress
On July 18, Beosin Alert detected that the Indian trading platform WazirX was attacked. The attacker obtained the signature data of the multi-signature wallet administrator of the trading platform, modified the logical contract of the wallet, and made the wallet execute incorrect logic to steal assets.
Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066;
Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4.
Based on the attacker’s attack behavior, it is speculated that the cause is the leakage of the administrator’s private key of the multi-signature wallet. Beosin briefly analyzes the cause of the attack as follows:
1. The attacker deploys the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified in this contract.
2. The attacker obtains the signature data of the WazirX multi-signature wallet administrator and modifies the wallet's logic contract to the deployed attack contract. The corresponding transaction is: https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d3. The attacker submits a token withdrawal transaction to the WazirX multi-signature wallet. Due to the proxy mode mechanism, the wallet contract will use delegatecall to call the relevant functions of the attack contract and transfer the wallet tokens.
BlockBeats will keep a close eye on the dynamics on the chain and provide readers with timely information on the sale of stolen assets and subsequent feedback from the trading platform.
