Header Ads Widget


The amount of money stolen from Multichain users reached $3 million

The amount of money stolen from Multichain users reached $3 million

Unknown individuals continue to exploit a vulnerability in the Multichain crosschain protocol that developers announced earlier this week. According to the technical director of cryptocurrency wallet ZenGo, Tal Beery, hackers have already withdrawn about $3 million in digital assets.

The @MultichainOrg hack is far from being over. Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M. One victim lost $960K! https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s & ; Tal Be'ery (@TalBeerySec) January 19, 2022

On Monday, January 17, the Multichain team reported a vulnerability affecting six tokens: WETH, PERI, OMT, WBNB, MATIC and AVAX. The next day, PeckShield analysts said that unknown people took advantage of the exploit and withdrew more than 450 ETH (~$1.4 million at the exchange rate at the time).

Later the developers of the protocol said that 445 users were affected by the incident. Representatives of the project urged to follow the published instructions to keep the funds safe.

Beery noted that one of the victims of the attackers lost about $960,000. The victim left an entry on the Ethereum blockchain asking for the cryptocurrency back for a reward.

The hacker accepted the offer and returned the assets in exchange for 50 ETH (~$157,200).

And it's a deal! The #multichain attacker / "white hat" returned the funds to the ~$1M, minus $150K "tip" as offered by the victim.#MultichainHack https://t.co/jAX6furhHi pic.twitter.com/EkGvwifoef & ; Tal Be'ery (@TalBeerySec) January 20, 2022

"First of all, thank you for getting WETH. I didn't know about the hack and only realized the situation because the WETH never arrived in my wallet after the CowSwap transaction. Given the amount at stake, would you accept 50 ETH as a fair tip?" the user wrote in an appeal to the hacker.

According to Beery, the hackers were also approached by the developers of Multichain. He pointed out that they had contacted the address where 445 ETH of stolen funds were stored and offered a reward for the discovered exploit.

Seems like @MultichainOrg reached out to the attackers offering them "bounty" (or in other words, actually paying ransom)https://t.co/DzUGUF3vX0 https://t.co/iKLh0HCBXG pic.twitter.com/yC3QEeiZhJ & ; Tal Be'ery (@TalBeerySec) January 18, 2022

At the same time, PeckShield reported another Multichain vulnerability that affects crosschain bridge liquidity providers. The company's specialists noted that the developers used an administrator key to withdraw funds from the affected contracts. 

FWIW: We are talking about a different exploitation that affects the bridge LP providers, instead of approving users. The vulnerability is of the same nature as the one being exploited in-the-wild. Fortunately, the team exercises the MPC admin key for fund rescue/migration. & ; PeckShield Inc. (@peckshield) January 20, 2022

The project team was criticized in the community for providing ambiguous information about the incident and insufficient user support. Multichain's Twitter account disabled the ability to comment on posts.

I can't be the only one who's incredibly confused by @MultichainOrg's messaging here Schrodinger's funds, both safe and unsafe at the same time pic.twitter.com/AW8s8aAhHk & ; ChainLinkGod.eth 2.0 (@ChainLinkGod) January 19, 2022

Speaking to Vice, Multichain's Telegram channel administrator, nicknamed Marcel, said that the team is taking some action, but is not publicly announcing it. 

Recall that in December 2021 Multichain raised $60 million from Binance Labs, Circle Ventures, and the Tron Foundation.

Post a Comment