The WazirX Hack: How FailSafe Would Have Saved $235M in User Funds

Overcoming Multisig Vulnerabilities with FailSafe

On July 18, 2024, WazirX, a cryptocurrency exchange based in India, experienced a security breach resulting in the theft of approximately $235 million in digital assets.

In this article, we provide a detailed technical breakdown of the attack and demonstrate how FailSafe, the industry’s leading threat monitoring and response solution, could have detected and stopped the attack.

Technical Breakdown & Timeline

1. Preparation on July 8, 2024 (10 Days Before the Exploit):
   • Attacker wallets were funded by Tornado Cash, as discovered by ZachXBT.
   • The attacker performed several test transactions on July 10, 2024.
2. Collecting Signatures to Perform Malicious Upgrade:
   • While it is still unclear how the compromise occured, one thing is certain: the attacker obtained multiple signatures from signers of the multisig to perform a malicious upgrade that would allow them to drain funds from the targeted multisig wallet.
3. Multisig Upgrade and Transfers:
   • Using the collected signatures, the attacker was able to perform an upgrade on the multisig wallet. The upgrade resulted in a malicious version that redirected all subsequent transactions to the attackers.

FailSafe: Stopping the Attack

Access Control Guard: Stopping Malicious Upgrades

FailSafe’s Access Control Guard would have added a critical layer of defense on the Safe multisig wallet by enforcing granular controls on privileged transactions. Key features include:

• Signer and Device Verification: Enforce that privileged transactions (such as ownership changes) are signed only from a select set of signers, with pre-approved devices and IP ranges. Malware-compromised signers would have been flagged and blocked.
• Anomaly Detection: Identifying deviations from typical signing patterns or device behavior, preventing fake Safe UI transactions from slipping through unnoticed.
• Veto Malicious Transactions: Blocking unauthorized operations, such as the upgrade to malicious pool contracts.

Real-Time Risk Monitoring: Detecting Contract Ownership Takeover

FailSafe’s Risk Monitoring System would have identified the proposed ownership change of the multi-sig contract—a key step in the attack. Upon detecting the unauthorized modification, FailSafe would have:

• Triggered Protective On-Chain Responses: Automatically initiating emergency actions, such as moving funds to cold storage or pausing vulnerable smart contracts, neutralizing the threat before it escalated.
• Alerting Key Personnel: Ensuring real-time notifications to stakeholders for validation, preventing malicious execution.

Protect Your Protocol: Take Action Today

The WazirX hack highlights the growing sophistication of blockchain threats and the need for cutting-edge security solutions. FailSafe’s monitoring, access controls, and real-time threat response provide the tools necessary to defend against these evolving threats, protecting protocols and user assets.