QuillAudits analyzes the July 2024 WazirX theft, where attackers stole more than $235 million by turning a Safe multisig wallet upgrade path against the exchange. The attackers deployed a phishing contract eight days before the theft, collected the required four-of-six approvals through compromised or deceived signers, and used a failed fake USDT transfer to gather signatures without immediately moving funds. With those signatures, they executed a delegatecall that changed the proxy's slot 0 implementation pointer to a malicious contract, redirecting later transactions to attacker-controlled wallets. The report notes suspected Lazarus involvement but grounds the technical finding in the contract upgrade abuse, fake Liminal UI, signer deception, and subsequent ETH-heavy asset consolidation.