Multichain vulnerability put a billion dollars at risk, says firm that found the bug

Quick Take

  • The security firm that disclosed the Multichain bug has published a blog post providing further details.
  • Dedaub claims that, if it hadn’t largely been prevented, the bug could have led to the loss of $1 billion.
advertisement

The Multichain bug that has led to the theft of $2 million in crypto (so far) could have been “enormous,” according to the company that disclosed the vulnerability last week.

Blockchain security firm Dedaub, which disclosed the bug on January 10, has published a blog post providing more details. It said that the amount of money at risk could have been worth more than $1 billion.

“​​Given the above, the potential practical impact (had the vulnerability been fully exploited) is arguably in the billion-dollar range. This would have been one of the largest hacks ever—given the theoretically unbounded threat, we are not getting into more detailed comparisons,” said Dedaub. 

Multicoin (formerly Anyswap) is a cross-chain protocol that allows its users to swap tokens across blockchains. According to Dedaub, the bug led to two major vulnerabilities in two blockchain contracts. The bug impacted a few accounts looking after huge sums of money, a bridge between the Ethereum and Fantom blockchains, some of the same contracts on other blockchains and 5,000 addresses that had interacted with the Multichain protocol.

Dedaub said $431 million in WETH could have been stolen in a single transaction from just three victim accounts if the vulnerability had been fully exploited.

The main would-be victim account, the AnySwap Fantom Bridge, was holding over $367 million in WETH by itself, said Dedaub. The risk on the other networks, i.e., Binance Smart Chain, Polygon, Avalanche, and Fantom, was estimated at around $40 million, said Dedaub. 

“The threat was enormous and multi-faceted — almost “as big as it gets” for a single protocol,” Dedaub wrote.

The attack is still ongoing

While the big honeypots were fixed ahead of time, Multichain was unable to protect users that had given permissions to the protocol to spend their coins. When it disclosed the bug, it told them that they needed to revoke these permissions or their funds could be stolen.

While the platform encouraged users to do so, many didn’t do so in time and were exploited. The attack is still ongoing as long as there are people remaining who haven’t revoked these permissions.

There have been three main attackers taking advantage of the exploit so far. The first took around 450 ETH ($1.1 million). The second took another 450 ETH ($1.1 million) but returned 320 ETH ($780,000) after conversing with the victim. A third took 250 ETH ($600,000).

There have also been other attackers taking small amounts of money. It’s possible that there were fewer or more attackers than this — since it’s looking at unique addresses per exploit rather than knowing who was behind each one.

In total, around 1150 ETH ($2.8 million) has been lost to the attacks, while about 320 ETH ($780,000) has been returned, with a net loss of over $2 million.

"When so much is at stake, web3 projects need to think beyond passive defenses (i.e. auditing, bounties) and add more active compensating controls to identify attacks when they happen and then automatically respond in a way that would immediately protect their funds,” said ZenGo co-founder Tal Be'ery.

Six tokens on the router contract — wrapped ether (WETH), wrapped Binance coin (WBNB), Polygon (MATIC), Avalanche (AVAX), official mars (OMT) and Peri Finance (PERI) — were and are still at risk. That means if a Multicoin user has approved any of the contracts of the six tokens, they need to revoke approvals, or else their tokens are still in danger of being potentially lost.


© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Trending Stories

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

Will Sanctions Drive Russia into the Arms of Cryptocurrencies?

From the removal of many Russian banks from SWIFT to a seemingly constant flow of new sanctions, Russia’s invasion of Ukraine has left many to wonder: Is the country likely to lurch towards cryptocurrencies? And if so, what does this mean for businesses that are holding and/or using crypto? Crypto and sanctions evasion Although crypto […]
Read Full Story
Sponsored Post

Layer-2 Scaling Solutions: A Framework for Comparison - Commissioned by Polygon

Ethereum had a breakout year in 2021. It’s native asset, ETH’s, market capitalization surpassed $500 billion for the first time. Its network facilitated upwards of $7 trillion value transfer. Non-fungible tokens (NFTs) emerged as another “killer application” that have put its technology on the global stage and caught the attention of the masses.
Read Full Story
May 5, 2022, 3:17PM UTC
More