Multichain under fire from users as hacking losses grow to $3M

Hackers have continued to exploit a critical vulnerability in the cross-chain router protocol (CRP) Multichain that first appeared on Jan 17.

Earlier this week, Multichain urged users to revoke approvals for six tokens to protect their assets from being exploited by malicious individuals.

However Multichain's announcement on Jan. 17 encouraged more hackers to try the exploit. One stole $1.43 million, another offered to return 80% while keeping the rest as a tip. According to Tal Be’ery, the co-founder of the ZenGo wallet, the stolen amount has now risen to $3 million.

The @MultichainOrg hack is far from being over.Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M.One victim lost $960K!https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s

— Tal Be'ery (@TalBeerySec) January 19, 2022

Six supported tokens are still subject to the security vulnerability including WETH, PERI, OMT, WBNB, MATIC, and AVAX.

Users have accused the company on social media of not providing them with clear enough information or support regarding the situation. One user who lost $960k offered 50 ETH to the hacker’s address in return for the remaining funds.

The company claimed on Jan.17 that the critical vulnerability affecting the six tokens had been reported and fixed on Jan. 17, but on Jan. 19 it again reminded users to revoke approvals of the tokens. Multichain has since turned off the comments on its recent tweets.

Crypto Twitter figure “ChainLinkGod” said that he was “incredibly confused” by the platform’s message, while “drarreg17” asked Multichain what it was going to do to “compensate users like myself who were affected by the exploits?”

I can’t be the only one who’s incredibly confused by @MultichainOrg’s messaging here Schrodinger‘s funds, both safe and unsafe at the same time pic.twitter.com/AW8s8aAhHk

— ChainLinkGod.eth 2.0 (@ChainLinkGod) January 19, 2022

Related: Multichain asks users to revoke approvals amid ‘critical vulnerability’

Unhappy users posting in the company’s Telegram group today complain  Multichain has not been able to resolve the security vulnerability yet, nor has it been able to provide its users with the support they seek.

Seems like @MultichainOrg reached out to the attackers offering them "bounty" (or in other words, actually paying ransom)https://t.co/DzUGUF3vX0 https://t.co/iKLh0HCBXG pic.twitter.com/yC3QEeiZhJ

— Tal Be'ery (@TalBeerySec) January 18, 2022

According to Be’ery, the company reached out to the original address that has been holding over 450 ETH ($1.43 million) in stolen funds since Jan. 18 and offered the hacker or hackers a bug “bounty for exploits.”

Multichain (formerly Anyswap) envisions being the ultimate router for Web 3.0. The ecosystem supports 30 chains, including Bitcoin (BTC), Avalanche (AVAX), Ethereum (ETH), Fantom (FTM), Litecoin (LTC), and Terra (LUNA), and offers no-slippage swapping.

With nearly $9 billion in TVL, it is unclear when and how Multichain will sort the situation. Cointelegraph has contacted the project for comment.

Multichain hacker returns 322 ETH, keeps hefty finders fee   Jan. 21, 2022
Ethereum fees declining as DeFi markets cool   Nov. 4, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'   Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts   April 25, 2022
Ethereum scaling network Arbitrum set for major upgrade on Aug. 31   Aug. 30, 2022