Multichain Recovers Some Stolen ETH After Hit by $1.9M Exploit
Multichain suffered a major exploit.
By: Samuel Haig •Byte
Multichain, the cross-chain bridge formerly known as Anyswap, has suffered a seven-digit exploit, the project’s team reported on Jan. 18.
The team further tweeted on Jan 20 that 602.7 ETH (roughly $1.9M) has been stolen, with the damages falling after about 259 ETH were returned by a white-hat hacker. The sum of stolen funds has increased from 445 ETH two days ago, despite the team’s efforts to notify users of the vulnerability.
While many pundits believe a multi-chain dapp ecosystem holds the key to unlocking a scalable future for crypto and decentralized finance, the complexity of cross-chain applications has proved vulnerable to hackers so far. Multichain suffered a separate exploit worth $8M in July, and cross-chain DEX THORChain has been hacked multiple times since launching last year.
Multichain reported the vulnerability on Jan. 18, and urged users to revoke wallet permissions allowing the dapp to spend six tokens: WETH, PERI, OMT, WBNB, MATIC, or AVAX. Two days later, the team is still imploring past users to revoke the permissions, as hackers are continuing to drain funds as a result of the vulnerability.
“All the users’ wallets that haven’t revoked the approval of these six tokens are in danger,” Multichain later wrote in a Jan. 19 blog post. “These six tokens in your address are always at risk, risk will be eliminated instantly upon revoking approvals.”
“All assets on both V2 Bridge and V3 Router are safe,” they added. “All cross-chain transactions can be done safely as usual.”
Affected users can revoke wallet approvals using the following link. The team noted that users must be connected to either Avalanche or Binance Smart Chain to revoke the permissions affected by the incident.
Multichain added that the vulnerabilities in question have been addressed in freshly compiled smart contracts which will be launched at a “later” date. The six affected tokens have been delisted from the platform for now.
The Multichain team continues to monitor the vulnerability. Affected users were notified via the team’s social channels, banner ads hosted on Etherscam, Polygonscan, and BSCscan, and on-chain messages.
Multichain was launched as a cross-chain DEX dubbed Anyswap in July 2020, before abandoning its exchange and focussing on asset bridges from early 2021. The protocol has since deployed on 14 different networks and emerged as a top ten protocol by cross-chain TVL.