The Multichain hack is still affecting crypto users a week later, despite promises from the company that it had been contained, says a report from Motherboard.
The Multichain Hack
Multichain, formerly Anyswap, is a cross-chain router protocol that lets people swap tokens between various blockchains. Last week it found a critical vulnerability that affected six token contracts.
If you ever have approved any of these 6 tokens on the Router (WETH, PERI, OMT, WBNB, MATIC, AVAX), please login into https://app.multichain.org/#/approvals to remove any approvals of these 6 tokens asap. Otherwise, your assets will always be at risk. Please do not transfer any of these 6 tokens to your wallet before revoking the approvals. The risk will be eliminated instantly upon revoking approvals.
In the announcement it said the liquidity for the six tokens was fixed. The next day it said the Multichain hack was contained. Hackers quickly took notice of vulnerable wallets and pounced, stealing over US$1.4 million. One hacker said they were stealing the funds to protect them from malicious hackers, and indeed returned the funds eventually.
Yesterday, Multichain tweeted a list of wallets that were still vulnerable. They will remain vulnerable until the users revoke the contract permissions for the above six tokens. Multichain administrators did not respond to Motherboard‘s questions about potential reimbursements for customers. So far the total numbers of funds stolen is US$3.8 million.
Yannis Smaragdakis, the co-founder of Dedaub, a security firm that warned Multichain of the vulnerability, said the company handled the incident well and minimized damage. “Despite arguably opening its users up to being hacked en masse in the first place, it could have been much worse.”