Amid outrage, WazirX says its plan to ‘socialise’ $230 mn security breach not legally binding

Affected by the recent $230 million breach by North Korean hackers and subsequent outrage after its recent "socialising of losses" plan, crypto platform WazirX has clarified its poll is a "preliminary step" to understanding the opinions of its investors and is not "legally binding" upon the users or the WazirX platform.

This poll is not final, says the company, adding that it is designed to gather "feedback, better understand views, and then take action that is "best".

"Our team is currently reviewing your inputs to devise a plan incorporating your collective voice and ensuring a fair and effective outcome. We will keep updating you as we refine our approach based on your suggestions. We will soon share a feedback form to help us better understand the direction that aligns with the community's best interests," a statement reads. The company says it needs more time to work on resolution due to the scale of the cyberattack.

WazirX CEO Nischal Shetty says the company is also exploring possibilities of launching some new project that can help where we can airdrop tokens to our affected customers. "But, these solutions take time. Which is why we wanted to see if there's a faster to first open the platform and then apply these solutions," he says in the latest video message via X.

WazirX's "multi-sig wallets" experienced a massive security breach on July 18, which involved a loss of funds exceeding $230 million. This wallet was operated utilising the services of Liminal's digital asset custody and wallet infrastructure from February 2023.

WazirX had earlier said that the compromised wallet had six signatories—five from our WazirX team and one from Liminal, who were responsible for transaction verifications. "The cyber attack stemmed from a discrepancy between the data displayed on Liminal's interface and the transaction's actual contents. During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed," the company said, adding that it suspects the payload was replaced to transfer wallet control to an attacker.

In the latest statement, Liminal Custody, a Singapore-based wallet infrastructure company, says its preliminary probe points to a "customer level compromise" via a sophisticated intrusion. "We want to unequivocally state that Liminal’s platform, infrastructure, wallets, and assets remain completely secure. Our operations have not been disrupted, and we continue to process transfers and withdrawals for all customers without interruption," the company clarifies.

The company says it has engaged independent CERT-certified, third-party experts to conduct thorough forensic audits, which will be backed by published reports. "Alongside we also continue to be engaged with relevant authorities. As a wallet infrastructure support platform, we emphasise that this incident originated from an external source, underscoring the crucial need for comprehensive security measures across platforms to minimise risk."

The company says the product in question for this incident is its "self-custody wallet" infrastructure, wherein a majority of the private keys that control and operate the wallets remain with its clients on their infrastructure. "In this product, Liminal can never initiate a transaction. Transactions always originate at our client’s end."

Meanwhile, reports say WazirX has called in global crypto player Binance to bail out the affected customers after the security breach. Changpeng Zhao-led Binance controls WazirX's WRX tokens, which it can use to pay back customers affected by the breach.

WazirX had announced a "socialise" loss strategy last weekend. Under this, it offered two options to manage the remaining assets, each with specific benefits and conditions. Option A allowed customers to trade and hold crypto, with priority for recovery and no withdrawals. Option B allowed trade and withdrawals, but low priority on recovery. Under the WazirX's "socialise" plan, 55% of user crypto assets will be made available for trading and/or withdrawals, depending upon the option that one selects, while the remaining 45% will be converted to USDT-equivalent tokens and locked.

The WazirX's decision to "socialise" losses backfired and angered many investors. "This should be the end of WazirX. The idea is that the company saw a theft for which they will charge all their users. The legal way is to take all of their own money first and then the rest of the losses can be distributed. Basically, liquidate it through NCLT," says Deepak Shenoy, CEO, CapitalMind, said on X.

Another user, Arjun Vijay (arjunvijay89) wrote he had deep discussions with fellow entrepreneurs in the crypto ecosystem. "We uncovered a lot of flaws in the proposed plan, in both option A and option B. The solution that has been proposed has not been drafted with the customer in mind. Their priority has been to protect the platform at the expense of the customers."