- Around $1.34 million has been siphoned off from one of the largest crypto token swapping platforms in the world, Multichain — formerly known as Anyswap.
- The company had alerted users to the bug on January 17 but required them to manually revoke permissions for six tokens.
- Not everyone made the change and now over $1 million have been stolen by a single blockchain address.
At a time when the security ecosystem around decentralised finance (
DeFi) is being
questioned, cross-chain protocol Multichain — formerly known as Anyswap — is asking users to take matters into their own hands in the face of a $1.34 million exploit.
If you have got a problem, you have to fix it on your own, according to the company. Multichain initially revealed that it noticed a critical vulnerability on its platform on January 17 and had subsequently ‘fixed’ it.
1/A critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed.… https://t.co/1FM8EXYy7R
— Multichain (Previously Anyswap) (@MultichainOrg) 1642436047000
However, by ‘fixing’ it, the company meant that users will have to manually login into their account and remove approvals of six tokens on its platform — Wrapped Ethereum (WETH), PERI Finance (PERI), Mars Token (OMT), Wrapped BNB (WBNB),
Polygon (MATIC), and Avalanche (AVAX).
Unlike the message sent out on Twitter where Multichain wrote that the exploit has been ‘reported and fixed’, the company meant that it’s been ‘noticed’ and ‘now it’s on you’. The miscommunication meant that not everyone was able to revoke permissions before the bug started to get exploited.
Someone is exploiting this literally *right now*. If you haven’t revoked approvals yet you should probably do so be… https://t.co/pKVkOdEkSy
— samczsun (@samczsun) 1642495707000
Less than 24 hours later, blockchain security company PeckShield noticed that a single blockchain address had made off with more $1.34 million.
@peckshield @MultichainOrg Stolen funds are currently held at this address, more than 450 Ether (~$1.34m)https://t.co/I8H6YXURBM
— PeckShieldAlert (@PeckShieldAlert) 1642496396000
There has been no update as to whether another solution has been found or if the tokens of Multichain’s users are no longer vulnerable, as of 11:00am on January 19 Indian Standard Time (IST).
What is a cross-chain swap protocol?
Multichain is one of the largest
cross-chain swap protocols in the world right now. It runs across 10 different blockchains and supports 1,366 different tokens. Overall, it looks after over $8.3 billion in smart contracts.
Simply put, a cross-chain swap lets users exchange a token on one blockchain for a different token on another blockchain. According to Multichain’s own company statement, the Singapore-based enterprise is aiming to become a router for Web3, touted to be the next generation of the internet. The news of the exploit has come in less than a month after Multichain raised $60 million at a $12 billion valuation led by Binance Labs.
SEE ALSO:
EXCLUSIVE: CoinDCX plans to hire more than 2,000 people this year — and they are not just looking at coders
Coinbase users can buy NFTs with Mastercard as the crypto exchange partners with the card giant to ease the digital art-buying experience