$97 Million Liquid Exchange Hack
The Intelligent Insurer #30 — Hackers breach MPC wallet solution in Japan-based exchange Liquid
The recent hack of Japan-based cryptocurrency exchange Liquid highlighted how even sophisticated security systems can be breached. Hackers successfully stole $97 million from a robust wallet system. The attack appears to have been carried out through the use of data from an earlier hack in November 2020.
The hacker successfully breached a multi-party computation (MPC) wallet on the platform, a storage solution which has comparable security to cold wallets. In a blog post, Liquid stated that it’s MPC wallet which was used by its Singapore subsidiary Quoine Pte was successfully breached.
In the latest Intelligent Insurer, we highlight the details of the Liquid hack. We cover the aftermath of the attack and how centralized exchanges are blacklisting the addresses associated with the event. We also consider how those with digital asset insurance are eligible to be compensated. Before covering the implications of the Liquid hack, we will present our weekly development roundup.
Insured Finance Development Roundup
We are getting closer and closer to the alpha launch of the Insured Finance marketplace and the platform is looking better than ever! As we approach alpha launch, we are making rapid progress on the tech side while also considering our deployment and launching strategy.
In terms of tech, we have been making phenomenal progress in some of the following areas:
- We have integrated the Chainlink price feed on the Mumbai testnet
- After some internal tests on the backend, we have implemented improvements on several features related to insurance listings
- We are currently developing detailed documentation related to the Insurance marketplace
At Insured Finance, we have always prioritized security. In the near-term future, we will also be carrying out a smart contract audit to ensure that the marketplace is fully secure. We are getting closer to alpha launch and we will leave no stone unturned before we bring the highly anticipated marketplace to the masses.
Deposits and withdrawals suspended as Liquid investigation continues
On August 19th, Liquid reported that it had been hit with a major cyberattack, resulting in roughly $97 million being stolen. At the time, Liquid stated that they were still uncovering the details of the hack. In the meantime, the platform suspended all deposits and withdrawals while also transitioning funds to cold wallets.
Shortly after the initial announcement, the Liquid team tweeted that it was working with other exchanges to freeze the stolen funds. This statement was acknowledged by Johnny Lyu, the CEO of KuCoin, who stated that the hacker’s wallet addresses had been blacklisted by his exchange.
Given the blacklisting process, the hackers turned to decentralized exchanges (DEXs) to convert the stolen assets. According to reports, about $45 million of the stolen funds has already been converted using DEXs like Uniswap and SushiSwap.
One of the Ethereum addresses that has been associated with the attack has successfully converted the stolen funds into various lower-cap tokens. The attacker converted millions of the hacked funds into tokens such as ILK, KRL, and GYEN.
A significant amount of the funds have also been put through the Ethereum mixer Tornado Cash. Tornado Cash obfuscates the origins of the funds, allowing the attacker to circumvent the blacklists. For instance, 3,000 ETH was sent to one address which subsequently sent several batches of 100 ETH through Tornado Cash mixer. These funds will be received in a fresh address that will not be tied to the original hackers address.
Multi-party computation wallet intact but circumvented
MPC storage is considered to be one of the most secure wallet systems after cold wallets. Liquid’s MPC wallet is a warm wallet whose private key is generated by multiple independent parties. Every party is isolated, without access to the fragmented information of others.
The robust security of the MPC wallet system raised suspicions surrounding the Liquid hack. Some members of the community responded to the hack announcement with allegations of an inside job. Fireblocks CEO Michael Shaulov thinks that the recent incident could be a continuation of an earlier hack in November 2020 when hackers stole data about the platform’s security setup.
Those with digital asset insurance can be compensated
The Liquid hack reveals that even the most robust security systems in the cryptocurrency industry can sometimes be breached. Liquid users who had digital asset insurance will be eligible for compensation after the breach.
Solutions like Insured Finance allow digital asset holders to secure tailored insurance on their holdings. Those with assets on the Liquid exchange could easily have requested coverage on their holdings and have been quickly compensated in the aftermath of the attack.
At the time of writing, normal activities are yet to resume on Liquid. The team recently announced that they are on track to resume deposit and withdrawal activities but they will resume such activities with a staggered approach.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.