The Multichain hack is still affecting crypto users a week later, despite promises from the company that it had been contained, says a report from Motherboard.
The Multichain Hack
Multichain, formerly Anyswap, is a cross-chain router protocol that lets people swap tokens between various blockchains. Last week it found a critical vulnerability that affected six token contracts.
If you ever have approved any of these 6 tokens on the Router (WETH, PERI, OMT, WBNB, MATIC, AVAX), please login into https://app.multichain.org/#/approvals to remove any approvals of these 6 tokens asap. Otherwise, your assets will always be at risk. Please do not transfer any of these 6 tokens to your wallet before revoking the approvals. The risk will be eliminated instantly upon revoking approvals.
In the announcement it said the liquidity for the six tokens was fixed. The next day it said the Multichain hack was contained. Hackers quickly took notice of vulnerable wallets and pounced, stealing over US$1.4 million. One hacker said they were stealing the funds to protect them from malicious hackers, and indeed returned the funds eventually.
Yesterday, Multichain tweeted a list of wallets that were still vulnerable. They will remain vulnerable until the users revoke the contract permissions for the above six tokens. Multichain administrators did not respond to Motherboard‘s questions about potential reimbursements for customers. So far the total numbers of funds stolen is US$3.8 million.
Yannis Smaragdakis, the co-founder of Dedaub, a security firm that warned Multichain of the vulnerability, said the company handled the incident well and minimized damage. “Despite arguably opening its users up to being hacked en masse in the first place, it could have been much worse.”
Andrew:
This hack does two things. First, it demonstrates a point yours truly made the other day, namely that there will likely never be a technology that, with sufficient time, resources and ingenuity, a criminal mind cannot defeat. Granted, this exploit target the swapping of tokens between blockchains, and not the blockchain itself, given that there are an ever-expanding number of blockchain currencies, users are diversifying their blockchain currency holdings, and that there an increasing number of other blockchain uses beyond currency as you posted the other day https://www.macobserver.com/cool-stuff-found/messenger-quantum-resistant/, which leads to the second thing. Blockchain developers/engineers are going to have to start thinking about potential vulnerabilities and how to preempt them.
Nice follow up.