Multichain, formerly Anyswap, is a "cross-blockchain router protocol" (CRP) designed to streamline the swapping and exchange of digital tokens for users across blockchains while reducing transaction fees. However, there's been an incident of theft in the Multichain Bridge due to a cybersecurity issue caused by a vulnerability in the network. Although Multichain quickly fixed the vulnerability, users who have previously granted permissions to six particular tokens still have their assets at risk, keep reading to learn more about the incident!
How did the Multichain CRP protocol get compromised?
The Multichain "cross-chain router protocol" has been exploited by hackers, due to a vulnerability in the network.
Preceding the attack, Multichain made an announcement urging users to revoke all the permissions granted to 6 different tokens to protect their assets from being subjected to malicious exploitations, owing to the detected bug on the network. The tokens were (WETH "Wrapped Ethereum" PERI finance, OMT "official Mars token, "AVAX "Avalanche, "WBNB "Wrapped BNB," and MATIC "polygon." )
The protocol later announced that the vulnerability has been fixed but when they got a report that the bug was being exploited and the stolen funds were worth $1.34M, the firm again reminded its users to revoke permissions and proceeded to pin a link to a Medium post on its Twitter account which outlines how to remove the approvals.
This announcement encouraged hackers to exploit the vulnerability and the situation began to escalate, leading to a continuous increase in stolen funds. The attack is still ongoing, and it won't subside as long as there are people who haven’t revoked their previous permissions.
Tal Be’ery, a cybersecurity analyst later called out Multichain on Twitter for how they handled the vulnerability, claiming that publicizing the problem before entirely alerting the users edged the hackers and prompted them to start extorting funds.
Be'ery later created a dune analytics dashboard to monitor the attack and reported in his recent tweets that the stolen funds have now risen to about $4.6M. Although, a user who lost $960k offered the hacker’s address 50 ETH in exchange for the remaining funds. The hacker later returned 259 ETH, which is approximately $813k, and kept the remaining $150k as a tip for returning the money.
There have been other major attacks since the exploitation began on the 18th of January, with the first attack leading to a loss of 456 ETH ($1.1 million), the second attack was another 433 ETH ($1 million) but 320 ETH ($780,000) was returned after conversing with the victim, whilst the third attack led to a loss of 391 ETH ($943,000), with other minor attacks that dates till today.
In total, a sum of 1778 ETH ($4.6 million) has been lost to the attacks, while about 320 ETH ($780,000) has been returned.Blockchain security firm PeckShield also identified an address that holds 455 ETH in stolen funds, which is approximately $1.million. Afterwards, Multichain reached out to the attackers and offered them a ransom —"bounty for exploits" as stated in Be’ery's recent tweets.
Meanwhile, victims are still in panic mode as they wonder if the firm will refund their money. There are also complaints that hackers are impersonating the firm in order to steal even more money from users. However, Multichain has still not commented on the whole situation and has subsequently turned off their comment section on their Twitter account.
A report was later made by Dedaub,(a blockchain security firm who formerly made a disclosure to Multichain about the vulnerability). In the Medium post, Dedaub confirmed that"$431 million in WETH could have been stolen in a single transaction from just three victim accounts if the vulnerability had been fully exploited.The risk on the other networks, i.e Binance Smart Chain, Polygon, Avalanche, and Fantom, including other wrapped tokens was also estimated at $40 million." As a matter of fact "the potential practical impact (had the vulnerability been fully exploited) is arguably in the billion-dollar range."— Dedaub .
Author: Gate.io Observer: M. Olatunji Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
This page is not intended for residents and citizens of Spain, Cuba, Bolivia, Venezuela and other Spanish-speaking jurisdictions listed in the Restricted Locations related terms of Gate.io's User Agreement.Español
This page is not intended for residents and citizens of France, Canada and other French-speaking jurisdictions listed in the Restricted Locations related terms of Gate.io's User Agreement.Français (Afrique)