Liquid Warm Wallet Liquidated: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/liquidwarmwalletliquidated.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/liquidwarmwalletliquidated.php}} | ||
{{Unattributed Sources}} | {{Unattributed Sources}} | ||
[[File:Liquid.jpg|thumb|Liquid]]Liquid is one of the largest exchanges globally. Hackers were able to access their warm wallets and complete the withdrawal of all assets, most likely by simply requesting a series of withdrawals once they gained access to the system. Despite using multi-sig, all of the factors evidently were breached by the single hacker, and likely had a common interface. (aka Joke Multisig) Liquid has been working to enable deposits and withdrawals on a gradual basis, and most assets are now back online. They plan to fully compensate all affected users. | [[File:Liquid.jpg|thumb|Liquid]]Liquid is one of the largest exchanges globally. Hackers were able to access their warm wallets and complete the withdrawal of all assets, most likely by simply requesting a series of withdrawals once they gained access to the system. Despite using multi-sig, all of the factors evidently were breached by the single hacker, and likely had a common interface. (aka Joke Multisig) Liquid has been working to enable deposits and withdrawals on a gradual basis, and most assets are now back online. They plan to fully compensate all affected users. | ||
This exchange or platform is based in Japan, or the incident targeted people primarily in Japan. | This exchange or platform is based in Japan, or the incident targeted people primarily in Japan.<ref name="cointelegraph-3350" /><ref name="ciphertrace-3351" /><ref name="beincrypto-3352" /><ref name="liquidglobaltwitter-3353" /><ref name="liquid-3354" /><ref name="liquid-3355" /><ref name="siliconangle-3356" /><ref name="reuters-3357" /><ref name="liquidblog-3358" /><ref name="financemagnates-3359" /><ref name="welivesecurity-3360" /><ref name="liquidblog-3361" /><ref name="nasdaq-3362" /><ref name="slowmisthacked-1160" /> | ||
<ref name="cointelegraph-3350" /><ref name="ciphertrace-3351" /><ref name="beincrypto-3352" /><ref name="liquidglobaltwitter-3353" /><ref name="liquid-3354" /><ref name="liquid-3355" /><ref name="siliconangle-3356" /><ref name="reuters-3357" /><ref name="liquidblog-3358" /><ref name="financemagnates-3359" /><ref name="welivesecurity-3360" /><ref name="liquidblog-3361" /><ref name="nasdaq-3362" /><ref name="slowmisthacked-1160" /> | |||
== About Liquid == | == About Liquid == | ||
| Line 106: | Line 105: | ||
!Description | !Description | ||
|- | |- | ||
|August 18th, 2021 | |August 18th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 114: | Line 113: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 133: | Line 135: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
The reason why multi-sig is important is to separate out the breach factors. Any system where all factors are common provides no additional protection. The most secure form of storage has a multi-sig with each key held by a trusted and reputable person, but even online systems could be made more secure by requiring the approval of separate systems with independent security setups. If there's a single interface anywhere that can exclusively approve the withdrawal by itself, the multi-sig is defeated. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
| Line 146: | Line 161: | ||
<ref name="liquidglobaltwitter-3353">[https://twitter.com/Liquid_Global/status/1428176357515612165 @Liquid_Global Twitter] (Sep 15, 2021)</ref> | <ref name="liquidglobaltwitter-3353">[https://twitter.com/Liquid_Global/status/1428176357515612165 @Liquid_Global Twitter] (Sep 15, 2021)</ref> | ||
<ref name="liquid-3354">[https://www.liquid.com/ | <ref name="liquid-3354">[https://www.liquid.com/ Buy, Sell & Trade Cryptocurrencies | Liquid.com] (Sep 15, 2021)</ref> | ||
<ref name="liquid-3355">[https://www.liquid.com/company/ | <ref name="liquid-3355">[https://www.liquid.com/company/ About Us | Liquid.com] (Sep 15, 2021)</ref> | ||
<ref name="siliconangle-3356">[https://siliconangle.com/2020/11/18/customer-data-stolen-hack-targeting-cryptocurrency-exchange-liquid/ Customer data stolen in hack targeting cryptocurrency exchange Liquid - SiliconANGLE] (Sep 18, 2021)</ref> | <ref name="siliconangle-3356">[https://siliconangle.com/2020/11/18/customer-data-stolen-hack-targeting-cryptocurrency-exchange-liquid/ Customer data stolen in hack targeting cryptocurrency exchange Liquid - SiliconANGLE] (Sep 18, 2021)</ref> | ||
| Line 162: | Line 177: | ||
<ref name="liquidblog-3361">[https://blog.liquid.com/ja/20210819-important-notice 重要なお知らせ:ハッキング被害と暗号資産の入出庫停止について] (Sep 21, 2021)</ref> | <ref name="liquidblog-3361">[https://blog.liquid.com/ja/20210819-important-notice 重要なお知らせ:ハッキング被害と暗号資産の入出庫停止について] (Sep 21, 2021)</ref> | ||
<ref name="nasdaq-3362">[https://www.nasdaq.com/articles/liquid-exchange-attack%3A-can-a-crypto-wallet-ever-be-100-safe-from-hacks-2021-08-20 | <ref name="nasdaq-3362">[https://www.nasdaq.com/articles/liquid-exchange-attack%3A-can-a-crypto-wallet-ever-be-100-safe-from-hacks-2021-08-20 Liquid Exchange Attack: Can a Crypto Wallet Ever Be 100% Safe From Hacks?] (Sep 21, 2021)</ref> | ||
<ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 26, 2021)</ref></references> | <ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 26, 2021)</ref></references> | ||
Revision as of 17:56, 2 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Liquid is one of the largest exchanges globally. Hackers were able to access their warm wallets and complete the withdrawal of all assets, most likely by simply requesting a series of withdrawals once they gained access to the system. Despite using multi-sig, all of the factors evidently were breached by the single hacker, and likely had a common interface. (aka Joke Multisig) Liquid has been working to enable deposits and withdrawals on a gradual basis, and most assets are now back online. They plan to fully compensate all affected users.
This exchange or platform is based in Japan, or the incident targeted people primarily in Japan.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Liquid
"Founded in 2014, Liquid is one of the world's largest cryptocurrency-fiat exchange platforms serving millions of customers worldwide." "Liquid’s mission is to build a secure and modern-day cryptocurrency ecosystem for traders and consumers to learn, grow, and leverage the benefits of financial freedom that blockchain technology enables."
"We are consistently ranked among the top 10 cryptocurrency exchanges globally based on daily traded spot volume with deep BTC/JPY liquidity. We are focused on providing a great user experience & world-class service levels." "Buy and sell Bitcoin, Ethereum, XRP and many other cryptocurrencies with fiat or crypto." "Trade our spot and margin markets with advanced funding options, lightning fast execution and deep liquidity." "We accept deposits of major fiat currencies including USD, JPY, EUR, SGD, HKD, and AUD."
"We manage digital assets using a combination of cold wallets & Multi-party computation (MPC) technology." "We use the latest technologies to keep your funds safe, and stay ahead of vulnerabilities and exploitation attempts." "Using multi-party computing we are able to offer fast round-the-clock withdrawals while maintaining our rigorous security standards."
"On August 18, hackers stole a little over $90M in more than 69 different cryptocurrencies and tokens from Japan-based exchange Liquid Global." "The hacker managed to steal funds in BTC, ETH, TRX, and XRP."
"London-based blockchain analysis firm Elliptic said digital addresses identified by Liquid as belonging to the thief had totalled over $94 million here, including $45 million in tokens connected to the Ethereum blockchain."
"At roughly 7:50 AM SGT on August 19th, Liquid’s Operations and Technology teams detected unauthorized access of some of the crypto wallets managed at Liquid."
"A total of approximately 91.35mm USDe of crypto assets were moved out of Liquid wallets by an unauthorized party."
"In response to the compromise, Liquid said it is moving all assets into cold storage wallets for the time being. In addition, they suspended deposit and withdrawal services. The exchange also said they’re, “currently tracing the movement of the assets and working with other exchanges to freeze and recover funds.”"
"We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet. We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended."
"The culprit or culprits behind the attack haven’t been identified yet; however, according to Liquid’s blog (in Japanese), the attack vector could be traced back to a compromised wallet used by its Singaporean subsidiary QUOINE."
"This time, the MPC wallet (used for warehousing / delivery management of cryptographic assets) used by our Singapore subsidiary QUOINE PTE was damaged by hacking. The impact on us is currently being confirmed."
"Liquid Exchange used MPC technology provided by Israel-based Unbound Security, according to two sources familiar with the arrangement. Unbound is a highly respected cryptography company that is backed by Goldman Sachs and used by JPMorgan Chase in its Onyx blockchain-based services."
"According to Shaulov, Thursday’s attack on Liquid was probably related to a hack into the exchange’s system last November, when an attacker gathered data about the firm’s security setup."
“Although the attack was on their hot wallets that are based on MPC, my assumption is that this has nothing to do with MPC vulnerabilities,” Shaulov told CoinDesk.
"In Shaulov’s opinion, the exchange’s security policy was likely designed in such a way that the original hacker was able to bypass its entire approval process and instruct the wallets to withdraw coins, without affecting the private key."
“In my business, nothing is zero percent,” Shaulov said. “But the chances that the hacker was able to figure something out with Unbound’s MPC protocol are very, very slim.”
"Tal Be’ery, chief security officer of the MPC-powered ZenGo wallet, shared that view."
“Most likely it’s not the MPC, but some other problem,” he told CoinDesk via Telegram. “MPC enables users to effectively reduce the risk of key stealing by the factor of the different parties. So it can be 2X harder, 3X harder, etc., but not impossible.”
"16.13mm USDe of ERC-20 assets have been frozen (disabled for onchain movement) due to the assistance of the crypto community and other exchanges." "While about $16 million in assets from more centralized tokens have already been frozen according to Liquid, an analysis of the flow of funds shows that the hacker continues to swap stolen ERC-20 tokens for ETH and wETH through decentralized exchanges (DEXs). Swapping more centralized tokens into ETH will hedge against the possibility of additional frozen funds, while swapping into wETH will facilitate additional swaps."
"In total, the Japanese exchange platform estimates that 69 various cryptocurrency assets were misappropriated and forwarded to other exchanges or DeFi swapping venues."
"Two days after the hack, 6,005 of the ETH received in these swaps (worth almost $20 million) were sent to Tornado Cash, a cryptocurrency mixer that specializes on obfuscating transactions on the Ethereum blockchain."
"So far, we became aware of nine more addresses by the unauthorized party. We will be continuing to monitor the movement of funds with the support of other exchanges and partners."
"Liquid’s teams are still assessing the attack vector used and taking measures to mitigate the impact to users."
"On the day of the attack, we identified the attack vector used to gain unauthorized access to our MPC wallets, at which point we immediately resolved the breach."
"Deeper investigation into the attack and the identification of the responsible parties is ongoing. We are in contact with the relevant authorities in both Japan and Singapore regarding this incident."
"We have completed setting up our new MPC infrastructure with heightened security, and are now in the process of testing and migrating our assets to the new secure vaults. We expect to restore services early next week." "The process of testing and migrating our assets to the new MPC vaults is still underway. Additionally, we are liaising with external vendors to validate the security of the infrastructure further."
"We want to reassure our users that they will not suffer any loss due to the incident that took place on the 19th of August. There will be no impact on user balances at Liquid." "We would also like to reassure our customers that personal data was not compromised in any manner during the incident."
"We would like to announce the start of the gradual resumption of crypto deposit and withdrawal services on Liquid. Our main priority was to make certain we resumed in a safe and secure manner, and we appreciate your patience in this regard."
"FIO address services are back to being operational. You can use your FIO address for sending and receiving cryptocurrency."
"We want to reiterate that users should generate new deposit wallet addresses before transacting. The deposit addresses for all currencies are being changed as a security precaution."
"Liquid’s teams have yet to release a postmortem detailing the attack vector used by the hacker."
This exchange or platform is based in Japan, or the incident targeted people primarily in Japan.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| August 18th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $91,350,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
The reason why multi-sig is important is to separate out the breach factors. Any system where all factors are common provides no additional protection. The most secure form of storage has a multi-sig with each key held by a trusted and reputable person, but even online systems could be made more secure by requiring the approval of separate systems with independent security setups. If there's a single interface anywhere that can exclusively approve the withdrawal by itself, the multi-sig is defeated.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ BREAKING: Liquid exchange hacked to the tune of $80 million (Aug 25, 2021)
- ↑ Liquid Exchange Loses Over $90 Million in Warm Wallet Hack - CipherTrace (Sep 15, 2021)
- ↑ Japanese Crypto Exchange Liquid has Hot Wallets Hacked, Over $80M Stolen - BeInCrypto (Sep 15, 2021)
- ↑ @Liquid_Global Twitter (Sep 15, 2021)
- ↑ Buy, Sell & Trade Cryptocurrencies | Liquid.com (Sep 15, 2021)
- ↑ About Us | Liquid.com (Sep 15, 2021)
- ↑ Customer data stolen in hack targeting cryptocurrency exchange Liquid - SiliconANGLE (Sep 18, 2021)
- ↑ Japanese crypto exchange Liquid hit by estimated $94 mln hack | Reuters (Sep 21, 2021)
- ↑ Liquid Warm Wallet Incident Report (Sep 21, 2021)
- ↑ Cryptocurrency Exchange Liquid Confirms Security Breach | Finance Magnates (Sep 21, 2021)
- ↑ Hackers swipe almost $100 million from major cryptocurrency exchange | WeLiveSecurity (Sep 21, 2021)
- ↑ 重要なお知らせ:ハッキング被害と暗号資産の入出庫停止について (Sep 21, 2021)
- ↑ Liquid Exchange Attack: Can a Crypto Wallet Ever Be 100% Safe From Hacks? (Sep 21, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)