Cross-chain protocol users have gone wild over an unaddressed security vulnerability that surfaced earlier this week and the platform’s inability to act. Later, however, Multichain revealed that a whitehat hacker returned 259 ETH, worth around $813,000.
The Multichain Exploit
It all started when Multichain announced the existence of a flaw that made several accounts vulnerable to malicious entities. The team behind the protocol urged its users to revoke approvals for six tokens – WETH, PERI, OMT, WBNB, MATIC, and AVAX, in order to protect their assets, an action that inevitably prompted hackers to rush in and exploit the vulnerability.
According to Multichain, three hackers got away with about $1.9 million worth of Ether. However, ZenGo co-founder Tal Be’ery estimated that the total amount stolen likely exceeded $3 million.
One of the hackers swiped $1.43 million from users who failed to update their approvals. Another hacker offered to return 80% and kept the rest $150,000 as a tip. Seeing this, one of the victims, who reportedly lost $960,000 in the exploit, negotiated with the hacker by offering a reward of 50 ETH to the address in return for the funds.
Users were left puzzled after Multichain, in a deletion since Tweeter, said “the funds are safe” even when the exploit was in progress. Several victims urged Multichain to compensate and even accused the scammers of trying to impersonate the company to steal more user funds.
The bug was first reported by DeFi security company Dedaub, but Multichain had claimed to have fixed it.
Previously known as Anyswap, Multichain is essentially a cross-blockchain router protocol that allows users to swap and trade digital tokens between chains. By doing so, it significantly reduces costs and streamlines the entire process. The company secured $60 million in a seed funding round led by Binance Labs in December.
The latest breach comes on the heels of CryptoCom admitting to an exploit where hackers stole more than $30 million on January 17th. Earlier CryptoCom announced suspending withdrawals after a slew of complaints from users who claimed that their funds had disappeared. But it wasn’t until Thursday that the company officially acknowledged the breach after being repeatedly accused of vague communication.