News
Multichain hack’s losses grow to $3M following ‘worst way to treat vulnerability’
Hacks and scams within the crypto-industry took $14 billion
from users in 2021, according to a recent report. While many hoped the new year won’t bring more bad news, it would seem that this may just be the start.Base layer
Cross-chain router protocol Multichain (formerly Anyswap) is currently trending, although for all the wrong reasons.
2/If you have ever approved any of these 6 tokens, pls log in https://t.co/S9nDfrM1eO asap to revoke the approvals, otherwise, your assets are at risk.
— Multichain (Previously Anyswap) (@MultichainOrg) January 17, 2022
On 17 January, Multichain Bridge Protocol discovered a bug or rather a critical vulnerability on its network. Security firm Dedaub reported to Multichain that users who had approved permissions for WETH, PERI, OMT, WBNB, MATIC, and AVAX on Multichain’s bridging router were at risk of hackers draining their funds. At the time, to avoid losses, the Multichain team advised users to cancel all of the approvals given to the specified tokens.
In fact, Multichain published a step-by-step tutorial on how users can easily revoke approvals. Furthermore, the blog reported that all assets on its V2 Bridge and V3 Router were safe. Users could carry out cross-chain transactions as usual.
Later down the line, however, Blockchain security firm PeckShield investigated the affected protocol. As per its investigation, a total of 445 WETH (> $1.4M) was affected.
More on the way
Well, that’s what hackers thought of this situation. The aforementioned episode took an interesting turn. Hackers continued to exploit the vulnerability in the cross-chain bridge Multichain.
In fact, they went on to steal about $3 million in cryptocurrencies, according to a report by Vice. Calling the incident “the worst way to treat a vulnerability,” Vice’s Franceschi-Bicchierai tweeted,
“The hack against Multichain users keeps getting worse.”
According to Tal Be’ery, the co-founder of the ZenGo wallet, the stolen amount amounted to,
The @MultichainOrg hack is far from being over.
Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M.
One victim lost $960K!https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s— Tal Be'ery (@TalBeerySec) January 19, 2022
Alas, that’s not it. Different reports have now emerged signalling at the lack of transparency from the affected protocol’s side. For instance, consider this – Chainlink commentator and podcast host ChainLinkGod.eth 2.0 alerted the same in a tweet. He included screenshots from a Medium post indicating that “funds were safe and unsafe at the same time”.
I can’t be the only one who’s incredibly confused by @MultichainOrg’s messaging here
Schrodinger‘s funds, both safe and unsafe at the same time pic.twitter.com/AW8s8aAhHk
— ChainLinkGod.eth 2.0 (@ChainLinkGod) January 19, 2022
In addition to this, “drarreg17” asked Multichain what it is going to do to “compensate users like myself who were affected by the exploits?” However, the protocol is yet to reply to the request.
Worth noting though that the company reached out to the original address that has been holding over 450 ETH in stolen funds since 17 January. Furthermore, the project offered the hacker/hackers a bug bounty “for exploits.”
Seems like @MultichainOrg reached out to the attackers offering them "bounty" (or in other words, actually paying ransom)https://t.co/DzUGUF3vX0 https://t.co/iKLh0HCBXG pic.twitter.com/yC3QEeiZhJ
— Tal Be'ery (@TalBeerySec) January 18, 2022
Not all gloomy
Last week, the Multichain team announced that its daily transaction volume had surpassed $500 million, thanks to people transferring their funds to the Fantom network. Meanwhile, as per Defi Lama, the protocol handles >$9 billion worth of assets across 14 different blockchains.
Well, one thing is clear. Given the TVL stat, the protocol needs to bounce faster and avoid losing any more funds.