Multichain hack's losses grow to $3M following 'worst way to treat vulnerability'

Hacks and scams within the crypto-industry took $14 billion from users in 2021, according to a recent report. While many hoped the new year won't bring more bad news, it would seem that this may just be the start.

Base layer 

Cross-chain router protocol Multichain (formerly Anyswap) is currently trending, although for all the wrong reasons.

https://twitter.com/MultichainOrg/status/1483110396089483265

On 17 January, Multichain Bridge Protocol discovered a bug or rather a critical vulnerability on its network. Security firm Dedaub reported to Multichain that users who had approved permissions for WETH, PERI, OMT, WBNB, MATIC, and AVAX on Multichain’s bridging router were at risk of hackers draining their funds. At the time, to avoid losses, the Multichain team advised users to cancel all of the approvals given to the specified tokens.

In fact, Multichain published a step-by-step tutorial on how users can easily revoke approvals. Furthermore, the blog reported that all assets on its V2 Bridge and V3 Router were safe. Users could carry out cross-chain transactions as usual.

Later down the line, however, Blockchain security firm PeckShield investigated the affected protocol. As per its investigation, a total of 445 WETH (> $1.4M) was affected.

More on the way

Well, that's what hackers thought of this situation. The aforementioned episode took an interesting turn. Hackers continued to exploit the vulnerability in the cross-chain bridge Multichain.

In fact, they went on to steal about $3 million in cryptocurrencies, according to a report by Vice. Calling the incident "the worst way to treat a vulnerability," Vice's Franceschi-Bicchierai tweeted,

"The hack against Multichain users keeps getting worse."

According to Tal Be’ery, the co-founder of the ZenGo wallet, the stolen amount amounted to,

https://twitter.com/TalBeerySec/status/1483898136678617089?ref_src=twsrc%5Etfw

Alas, that's not it. Different reports  have now emerged signalling at the lack of transparency from the affected protocol's side. For instance, consider this - Chainlink commentator and podcast host ChainLinkGod.eth 2.0 alerted the same in a tweet. He included screenshots from a Medium post indicating that "funds were safe and unsafe at the same time".

https://twitter.com/ChainLinkGod/status/1483822911043473412?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1483822911043473412%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.coindesk.com%2Fbusiness%2F2022%2F01%2F20%2Fmultichain-hack-worsens-as-loss-of-funds-reaches-3m-report%2F

In addition to this, “drarreg17” asked Multichain what it is going to do to "compensate users like myself who were affected by the exploits?” However, the protocol is yet to reply to the request.

Worth noting though that the company reached out to the original address that has been holding over 450 ETH in stolen funds since 17 January. Furthermore, the project offered the hacker/hackers a bug bounty "for exploits."

https://twitter.com/TalBeerySec/status/1483550455536005135?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1483550455536005135%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcointelegraph.com%2Fnews%2Fmultichain-under-fire-from-users-as-hacking-losses-grow-to-3m

Not all gloomy 

Last week, the Multichain team announced that its daily transaction volume had surpassed $500 million, thanks to people transferring their funds to the Fantom network. Meanwhile, as per Defi Lama, the protocol handles >$9 billion worth of assets across 14 different blockchains.

Well, one thing is clear. Given the TVL stat, the protocol needs to bounce faster and avoid losing any more funds.

The post Multichain hack's losses grow to $3M following 'worst way to treat vulnerability' appeared first on AMBCrypto.