According to the company that disclosed the vulnerability last week, the Multichain bug that has resulted in the theft of $2 million in cryptocurrency (so far) could have been “enormous.”
Dedaub, a blockchain security firm that disclosed the problem on January 10, has published a blog post with additional information. According to the report, the amount of money at stake may have been worth more than $1 billion.
Given the foregoing, the potential practical impact (had the vulnerability been fully exploited) is likely to be in the billions of dollars. This would have been one of the largest hacks in history—”given the theoretically limitless threat, we are not getting into more detailed comparisons,” Dedaub said.
Multicoin (previously Anyswap) is a cross-chain protocol that allows users to exchange tokens between blockchains. The bug, according to Dedaub, caused two major vulnerabilities in two blockchain contracts. The flaw affected a few high-value accounts, a bridge between the Ethereum and Fantom blockchains, some of the same contracts on other blockchains, and 5,000 addresses that had interacted with the Multichain protocol.
Dedaub stated that if the vulnerability had been completely exploited, $431 million in WETH could have been taken in a single transaction from just three victim accounts.
According to Dedaub, the main would-be victim account, the AnySwap Fantom Bridge, was holding over $367 million in WETH on its own. According to Dedaub, the risk on the other networks, which include Binance Smart Chain, Polygon, Avalanche, and Fantom, was estimated to be over $40 million.
“The threat was massive and multifaceted — nearly “as big as it gets” for a single protocol,” Dedaub wrote.
The assault is still occurring.
While the major honeypots were addressed ahead of time, Multichain was unable to protect users who had granted the protocol permission to spend their currencies. When the problem was revealed, it informed them that they needed to remove these permissions or their funds would be taken.
While the platform urged users to do so, many did not and were exploited as a result. The attack will continue as long as there are persons who have not canceled these permissions.
So far, three major attackers have taken use of the issue. The first cost approximately 450 ETH ($1.1 million). After talking with the victim, the second took another 450 ETH ($1.1 million) but returned 320 ETH ($780,000). A third received 250 ETH ($600,000).
Other assailants have also taken modest sums of money. Because it looks at unique addresses per exploit rather than knowing who was behind each one, it’s possible that there were fewer or more attackers than this.
In total, around 1150 ETH ($2.8 million) was lost in the attacks, while approximately 320 ETH ($780,000) was restored, resulting in a net loss of more than $2 million.
“With so much at stake, web3 projects must look beyond passive defenses (i.e. auditing, bounties) and include more active compensating measures to spot attacks when they occur and then automatically respond in a way that would quickly secure their funds,” said Tal Be’ery, co-founder of ZenGo.
Wrapped ether (WETH), wrapped Binance coin (WBNB), Polygon (MATIC), Avalanche (AVAX), official mars (OMT), and Peri Finance (PERI) were and continue to be at risk on the router contract. That means that if a Multicoin user has approved any of the contracts for the six tokens, they must revoke those approvals or risk losing their tokens.