Those who have previously used the protocol may need to revoke permissions to keep their funds safe.
Key Takeaways
A hacker has stolen over $1.4 million from Multichain bridge users.
Although Multichain quickly fixed the exploit, users who have previously approved permissions to outdated contracts are still at risk.
Multichain is one of the most popular cross-chain bridges, handling over $500 million in daily transaction volumes.
A bug in the Multichain Bridge Protocol has resulted in users losing over $1.4 million to hackers, with millions more potentially still at risk.
Multichain Bug Hits Bridge Users
Multichain has found a bug in its bridge.
The cross-chain bridge Multichain announced Monday that it had been notified of a vulnerability in its bridging router affecting several tokens. Security firm Dedaub reported to Multichain that users who had approved permissions for WETH, PERI, OMT, WBNB, MATIC, and AVAX on Multichain’s bridging router were at risk of hackers draining their funds.
“If you ever have approved any of these 6 tokens on the Router please login to remove any approvals of the 6 tokens asap,” reads Multichain’s post covering the vulnerability. Although Multichain has since fixed the bug, users who had previously approved the protocol to use their tokens are still at risk.
Multichain has also reported that all assets on its V2 Bridge and V3 Router are safe and that users can carry out cross-chain transactions as usual. The protocol also informed users that it would release the technical details of the bug in a subsequent blog post.
Blockchain security firm PeckShield has identified the address to which a hacker is transferring the stolen funds after exploiting the Multichain bug. So far, 455 ETH worth approximately $1.44 million has been drained from users who have not revoked permissions to their assets.
It is currently unknown how many previous Multichain users are still at risk. Multichain is currently the ninth-largest DeFi protocol and one of the most popular cross-chain bridges. According to DeFi Llama, the protocol currently handles $8.15 billion worth of assets across 14 different blockchains.
Last week, the Multichain team announced that its daily transaction volume had surpassed $500 million, mostly due to people transferring their funds to the Fantom network. With such high daily usage, it is likely that millions of dollars worth of assets are still at risk of being stolen through Multichain’s compromised permissions approvals.
While yield farming protocols have historically been the primary target for DeFi hacks, cross-chain bridge exploits are becoming increasingly common. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than other protocols. Last year, the Poly Network’s cross-chain bridge was the victim of an exploit that allowed a hacker to drain the protocol of over $600 million worth of assets. Although the hacker later returned the stolen funds, the event highlighted the potential security floors of nascent cross-chain bridging technology.
Multichain has confirmed that affected users can check its approvals link to ensure they haven’t previously approved any of the compromised contracts. Many protocols use Multichain’s bridges to facilitate cross-chain interactions, so even if a user hasn’t directly bridged through Multichain, they may still have approved the protocol’s permissions.
Disclosure: At the time of writing this feature, the author owned ETH and several other cryptocurrencies.
Disclaimer Read More Read Less
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.