Hacker steals $200,000 through Multichain bug, offers to return 80% to victim

Quick Take

  • A bug in the Multichain protocol (that affects users who haven’t revoked permissions) has been exploited for $1.5 million.
  • One hacker stole $200,000 but is offering to return most of the funds back to the original owner.

The ongoing exploitation of the cross-chain protocol Multichain has now totaled $3 million, according to ZenGo co-founder Tal Be'ery.

A bug in the protocol is being exploited by multiple blockchain wallets, with either one hacker or many behind the attacks.

One of the hackers, who has stolen $200,000 through this bug, has offered some remorse. They claim to be a whitehat hacker and have offered to return 80% of the funds that they took.

This hacker said in a blockchain transaction, "whitehat here, send me the tx you lost your weth, I give 80% back. The rest is the tips for me saving your money." Multichain has since replied to the hacker, hoping that they will return the funds to a blockchain address that they specified in the message.

It is unknown whether this particular hacker was behind any of the other thefts. When asked if this hacker also owned the wallet that stole $1.43 million through this exploit, Multichain told The Block that it was possible. Be'ery said, "Cannot really know."

Multichain is a cross-chain protocol for swapping tokens across blockchains. The existence of the Multichain bug was first revealed by the project itself on January 17. While the project said it had fixed the bug, which affected six tokens including wrapped ether (WETH), it still impacted previous users of the protocol.

Anyone who had used the protocol previously needed to revoke permissions to the application in order to keep their funds safe from this specific attack. Despite Multichain's warning, many users failed to do so.

Yesterday, the Multichain team reached out to the original address (that stole $1.43 million) via a message in a blockchain transaction. The message stated that the project offers a bounty for exploits, implying the hacker should give the funds back and receive a bounty. So far, that message has not seen a direct response.

One user who lost nearly $1 million in the hack, is offering the person who stole those funds 50 ETH ($156,000) as a tip if they return the rest, as noticed by Be'ery.

Update: This story has been updated with the latest figure for the Multichain hack.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.