The Multichain bug that has led to the theft of $2 million in crypto (so far) could have been “enormous,” according to the company that disclosed the vulnerability last week.
Blockchain security firm Dedaub, which disclosed the bug on January 10, has published a blog post providing more details. It said that the amount of money at risk could have been worth more than $1 billion.
“Given the above, the potential practical impact (had the vulnerability been fully exploited) is arguably in the billion-dollar range. This would have been one of the largest hacks ever—given the theoretically unbounded threat, we are not getting into more detailed comparisons,” said Dedaub.
Multicoin (formerly Anyswap) is a cross-chain protocol that allows its users to swap tokens across blockchains. According to Dedaub, the bug led to two major vulnerabilities in two blockchain contracts. The bug impacted a few accounts looking after huge sums of money, a bridge between the Ethereum and Fantom blockchains, some of the same contracts on other blockchains and 5,000 addresses that had interacted with the Multichain protocol.
Dedaub said $431 million in WETH could have been stolen in a single transaction from just three victim accounts if the vulnerability had been fully exploited.
The main would-be victim account, the AnySwap Fantom Bridge, was holding over $367 million in WETH by itself, said Dedaub. The risk on the other networks, i.e., Binance Smart Chain, Polygon, Avalanche, and Fantom, was estimated at around $40 million, said Dedaub.
“The threat was enormous and multi-faceted — almost “as big as it gets” for a single protocol,” Dedaub wrote.
The attack is still ongoing
While the big honeypots were fixed ahead of time, Multichain was unable to protect users that had given permissions to the protocol to spend their coins. When it disclosed the bug, it told them that they needed to revoke these permissions or their funds could be stolen.
While the platform encouraged users to do so, many didn’t do so in time and were exploited. The attack is still ongoing as long as there are people remaining who haven’t revoked these permissions.
There have been three main attackers taking advantage of the exploit so far. The first took around 450 ETH ($1.1 million). The second took another 450 ETH ($1.1 million) but returned 320 ETH ($780,000) after conversing with the victim. A third took 250 ETH ($600,000).
There have also been other attackers taking small amounts of money. It’s possible that there were fewer or more attackers than this — since it’s looking at unique addresses per exploit rather than knowing who was behind each one.
In total, around 1150 ETH ($2.8 million) has been lost to the attacks, while about 320 ETH ($780,000) has been returned, with a net loss of over $2 million.
"When so much is at stake, web3 projects need to think beyond passive defenses (i.e. auditing, bounties) and add more active compensating controls to identify attacks when they happen and then automatically respond in a way that would immediately protect their funds,” said ZenGo co-founder Tal Be'ery.
Six tokens on the router contract — wrapped ether (WETH), wrapped Binance coin (WBNB), Polygon (MATIC), Avalanche (AVAX), official mars (OMT) and Peri Finance (PERI) — were and are still at risk. That means if a Multicoin user has approved any of the contracts of the six tokens, they need to revoke approvals, or else their tokens are still in danger of being potentially lost.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.