Cross-chain protocol Multichain bug gets exploited for $1.34 million

Quick Take

  • A bug in cross-chain protocol Multichain has been exploited for $1.34 million, according to researchers.
  • While the bug had already been fixed for new users, past users needed to take action to prevent themselves from being affected.

Cross-chain protocol Multichain (previously known as Anyswap) has been exploited for $1.34 million — according to security researchers PeckShield. This occured through a bug that the platform had recently dislosed.

On January 17, Multichain revealed that it had found a critical vulnerability and had fixed it. It said that the bug affected six tokens, including wrapped ether (WETH).

But the problem is that the protocol couldn't fix the bug from affecting past users who had interacted with the protocol. Instead, this required users to manually go to their wallets and revoke permissions that they had previously given to the protocol. Multichain said that these users should do this immediately otherwise their assets would remain at risk.

It appears that many users have not done so and the bug is now being exploited.

"Someone is exploiting this literally *right now*. If you haven't revoked approvals yet you should probably do so before it's too late," tweeted a Paradigm researcher known as Samczsun.

Following the publication of this story, Multichain confirmed that the bug is being exploited and reiterated that users need to revoke approvals to keep their funds safe.

Multichain is the largest cross-chain swap protocol, looking after $8.3 billion in its smart contracts. It runs across 10 blockchains and supports 1,366 tokens. (For a detailed primer on how cross-chain swaps work, see here.)

PeckShield identified that the funds have been transferred to a single blockchain address.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.