The users of cross-chain protocol lashed out over an unsolved security vulnerability that appeared earlier this week and the platform’s failure to act. Later on, though, Multichain revealed that one whitehat hacker returned 259 ETH, worth approximately $813,000.
The Multichain Exploit
It all started when Multichain announced the existence of a flaw that made several accounts vulnerable to malicious entities. The team behind the protocol urged its users to revoke approvals for six tokens – WETH, PERI, OMT, WBNB, MATIC, and AVAX, in order to protect their assets, an action that inevitably prompted hackers to rush in and exploit the vulnerability.
According to the tracking data, one whitehat hacker has returned 259 ETH (https://t.co/BvTwOQTsE1). At this moment, a total of 602.693538 ETH is exploited. We are trying to get more funds back.
— Multichain (Previously Anyswap) (@MultichainOrg) January 20, 2022
Three hackers siphoned off with around $1.9 million worth of Ether, according to Multichain. However, the Co-founder of ZenGo Tal Be’ery estimated that the total stolen amount has likely crossed $3 million.
One of the hackers swiped $1.43 million from users who failed to update their approvals. Another hacker offered to return 80% and kept the rest $150,000 as a tip. Seeing this, one of the victims, who reportedly lost $960,000 in the exploit, negotiated with the hacker by offering a reward of 50 ETH to the address in return for the funds.
Users were left confused after Multichain, in a since-deleted tweet, said that “funds are safe” even when the exploit was underway. Several victims urged Multichain to compensate and even accused the scammers of trying to impersonate the firm to steal more user funds.
The bug was first reported by DeFi security company Dedaub, but Multichain had claimed to have fixed it.
Previously known as Anyswap, Multichain is essentially a cross-blockchain router protocol that enables users to swap and exchange digital tokens across chains. In doing so, it significantly slashes fees and streamlines the entire process. The company secured $60 million in a seed funding round led by Binance Labs in December.
The latest breach comes on the heels of CryptoCom admitting to an exploit where hackers stole more than $30 million on January 17th. Earlier CryptoCom announced suspending withdrawals after a slew of complaints from users who claimed that their funds had disappeared. But it wasn’t until Thursday that the company officially acknowledged the breach after being repeatedly accused of vague communication.