Multichain token hack losses reach $3 million: report

Multichain messaging seems confusing, at best.
Written by Charlie Osborne, Contributing Writer

A vulnerability in Multichain systems has led to the theft of at least $3 million, reports suggest. 

Multichain, previously known as Anyswap, is a cross-blockchain router protocol designed to allow users to swap and exchange digital tokens across chains while reducing fees and streamlining the overall process. 

However, chaos now reigns in the ecosystem due to a cybersecurity incident caused by a vulnerability in the network, as first reported by Vice

Dedaub reported the vulnerability to Multichain. The company said in a blog post dated January 17 that the critical flaw impacted WETH, PERI, OMT, WBNB, MATIC, and AVAX swaps, but assured users at the time that "all assets on both V2 Bridge and V3 Router are safe [and] all cross-chain transactions can be done safely as usual."

In the same breath, the company urged users to log in to their accounts and remove any approvals relating to these tokens as quickly as possible or funds could be at risk. 

Technical details of the vulnerability are yet to be disclosed. 

On Wednesday, Multichain said that users who had not revoked WETH approval had been exploited. 

"Please do not transfer any of these six tokens to your accounts before revoking, otherwise, your wallets are in danger still," the organization said. "The hack is contained for now. However, users still have to revoke the approvals for those six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) to avoid a future attack."

The messaging has caused confusion and despite the approval issue and lost funds, Multichain says that bridging can take place "as usual."

Losses were originally estimated to be in the range of $1.4 million. Co-founder of ZenGo Tal Be'ery said on Wednesday that the total stolen amount has likely surpassed $3 million. 

One of the victims who lost approximately $1 million in tokens attempted to negotiate with a thief who posted an on-chain 'ransom' note. In an update Thursday morning, Be'ery noted that negotiation has now taken place, with the attacker returning the funds – minus a $150,000 "tip."

Dedaub will be publishing an advisory on the vulnerability in the future.

In related news this week, cryptocurrency exchange crypto.com CEO Kris Marszalek said that a cyberattack that occurred last week impacted 400 users. The company has not disclosed how much was stolen but did say that clients were reimbursed on the same day. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards