In the wake of the $230 million hack at WazirX, CoinSwitch parent Peepal Co CEO Ashish Singhal shed light on how his company would have approached a similar crisis.
The first order of business, according to Singhal, lies in user repayments. After the breach, WazirX proposed distributing losses across its user base by returning only 55% of users’ holdings and locking 45% in USDT-equivalent tokens–a plan which sparked significant backlash as unaffected users felt unfairly penalised.
Addressing the idea of socialised loss strategies like the one WazirX employed, Singhal argued that the first priority should always be to fully protect the users. “If you can, as a company, make your users whole, that is the best case scenario,” he said in a conversation with YourStory.
Singhal believes that companies should absorb losses internally when possible. “You, as a company, absorb the impact. You go into the market and see how you can continue to innovate and earn more revenue to make up for the loss that has happened,” he emphasised.
Outlining potential strategies, Singhal recommended a tiered approach to handling a financial breach. First, if the company cannot fully cover losses immediately, it should take partial responsibility. “How can part of it (repayments to users) be utilised from company treasury and part of it be, you know, maybe shares in the company, maybe future revenue that the company generates?” he suggested.
In more severe cases, finding a buyer or going through liquidation would help minimise user losses. “The process may take a bit longer, but it ensures that users will at least get the minimum of what they are supposed to get, plus something extra,” Singhal explained.
Reflecting on WazirX’s hack, Singhal highlighted how certain security measures, especially those involving disabling “raw signing” help shield from the kind of risks WazirX faced. “Raw signing,” or Raw Transactions in cryptocurrency, refers to transactions that are created manually, typically using command-line interfaces, before being broadcast to the blockchain.
These transactions are “raw” because they have not been signed or verified yet, and they contain the necessary inputs (such as previous transaction outputs) and outputs (such as recipient addresses and amounts).
They are used in cases where custom transaction parameters are required, like complex multisig operations. However if a user is tricked into signing a fraudulent raw transaction (for instance, through malware), they could inadvertently send funds to an attacker.
According to Singhal, the practice may have played a major role in the crypto-heist. “Raw signing is a double-edged sword… you don’t know what you’re signing,” he added.
He also noted that CoinSwitch regularly audits and evolves its cybersecurity practices, collaborating with leading custody providers and learning from peers in the crypto industry. “Through this hack, we got validation that our cybersecurity processes were always right,” he stated.
In July 2024, WazirX, a prominent Indian cryptocurrency exchange, suffered a major cyberattack that resulted in the theft of over $230 million worth of digital assets from one of its multisig wallets. The attack involved hackers using Tornado Cash, a decentralised cryptocurrency mixer, to launder the stolen funds through Ethereum-compatible networks.
Following the breach, WazirX froze withdrawals and announced plans to reverse all trades and restore balances to their pre-hack state as of July 18, 2024. The company is also working with law enforcement and cybersecurity agencies, including CERT-In and the Intelligence Bureau, to investigate the incident. Despite these efforts, approximately 43% of WazirX’s users were impacted.
Earlier in October, the company said that it was in the process of forming a Committee of Creditors (COC) to aid the company’s restructuring process and pay back funds to users.
In August, CoinSwitch initiated legal action against WazirX to recover around Rs 81 crore in funds stuck on the platform following the cyberattack on WazirX.
CoinSwitch is seeking to retrieve Rs 12.4 crore in Rs 28.7 crore in ERC20 tokens, and Rs 39.9 crore in other tokens. These assets represent about 2% of CoinSwitch’s total funds.
