Crypto exchange Liquid, one Japan’s most popular exchanges, is now short $97 million in total assets after a cyber attack that pulled funds directly from the wallets of some of its customers.
In 2020 Japan amended its Payment Services Act (PSA) and Financial Instruments and Exchange Act (FIEA) to put certain regulations on cryptocurrency in the country, primarily requiring crypto exchanges to separate the money of users from their own internal finances. This generally means the use of offline “cold wallets” or outsourcing this function to a third party, but some Japanese crypto exchanges keep “hot wallets” and meet regulatory requirements by holding the same type and quantity of all user assets so that reimbursements can be issued directly when necessary. This is the option that Liquid went with, and the company has suspended asset deposits and withdrawals as it sorts out the situation.
A month for major crypto exchange heists
Liquid lost $45 million in Ethereum in the cyber attack in addition to about $52 million divided between Bitcoin, XRP and a variety of stablecoins (such as Tether). Liquid has not confirmed the full amount lost in the attack, with the $97 million estimate coming from outside blockchain analytics firm Elliptic.
Tweets from Liquid indicate that the cryptocurrency exchange is still investigating the situation and has not yet issued any information on how the attack was pulled off. In addition to temporarily suspending deposits and withdrawals, Liquid has moved all existing funds to more secure offline cold wallets.
The situation is shaping up to be a major problem for the popular cryptocurrency exchange, as security researchers have observed that the stolen Ethereum tokens are being converted to Ether via decentralized exchanges to evade the possibility of freezing. The situation calls to mind the very recent breach of decentralized finance platform Poly Network, which was hit for $610 million (making it, at least initially, the biggest cryptocurrency heist in history). However, it seems unlikely this story will play out the same way. The Poly Network hacker (referred to as “White Hat”) began returning funds within a day, claiming that they were only demonstrating a vulnerability and never intended to keep the money. Poly Network issued an update Monday morning indicating that it had recovered all of those funds. The Liquid attack occurred just before the weekend, and thus far there is no indication of who might have been the culprit or that they have any intention of giving back any tokens.
Liquid cyber attack vector still unknown
Liquid says that it is working with outside firms to track the movement of the stolen assets and freeze them where possible. It appears that all deposits and withdrawals save those involving fiat currencies will stay frozen until the fallout of the cyber attack is sorted out. The company did confirm on Monday that about $16 million in ERC-20 assets had been successfully frozen.
The only substantial crumb of information the crypto exchange has released thus far is that the cyber attackers were targeting specific wallets, but taking a wide variety (some 69) of coin types. A blog post in Japanese revealed that MPC wallets used by Singapore-based subsidiary Quoine were the ones attacked. This is a particularly interesting point as MPC (multi-party computation) is a relatively new technology seen as highly secure as it executes protocols in chunks handled by multiple parties such that no outside observer could ever have access to all of the necessary pieces. There is strong interest in MPC beyond the cryptocurrency space; traditional banks are looking at it, as are some countries feeling out ideas for online voting systems. Major financial players that have acquired MPC companies recently include PayPal and BNY Mellon.
John Callahan, CTO of Veridium, provided some further insight on the types of crypto exchange wallets that were reportedly attacked: “Regarding the Japan Liquid Global Exchange warm wallet heist: presumably, these are custodial wallets managed on the exchange for clients. Further details will be forthcoming but I wonder if private keys stored in the clear (or with a common key for all clients) instead of via a vaulted KMS with biometric consent to prevent hijacking the warm wallet even on the server? By blacklisting the addresses receiving the stolen funds it will help trace the transfers but could get very messy quickly as they chase the transfers around the globe and across chains.”
Though this is pure speculation at this point, the current cyber attack on Liquid’s crypto exchange may be related to one that was successfully executed back in November. That cyber attack saw an unknown party breach employee email accounts and then move into the internal network. No funds went missing, but it is possible the attacker came across confidential information about the crypto exchange’s security. If this is the case, the attacker most likely would not have compromised the MPC protocol but instead found a way to skip entirely around it within Liquid’s internal network.