Multichain, previously known as Anyswap, is a cross-chain blockchain protocol.  The project was the victim of a hack in January 2022 where multiple attackers exploited smart contract vulnerabilities to steal over $3 million in tokens from the project’s users.

Inside the Attack

The Multichain hack affected six cross-chain tokens on the project’s router.  These tokens were WETH, PERI, OMT, WBNB, MATIC, and AVAX.

A vulnerability in the code for these tokens’ contracts allowed an attacker to steal these tokens from users who had previously created approvals for them.  Such an approval would allow transfers of the token to be made without requiring the user to explicitly consent.

Multichain made a public announcement of the issue instructing users who had previously approved these tokens to revoke those approvals.  However, this warning also brought the issue to attackers’ attention.  Multichain users who had approved those tokens were targeted by multiple attackers, who stole over $3 million in tokens from the project.

Of the $3 million, approximately $1 million was returned to the project by an attacker who claimed to be a whitehat hacker attempting to save users’ funds.  This hacker kept 62 ETH ($150,000) of their stolen funds but returned 322 ETH to the project.

Lessons Learned From the Attack

Like the BadgerDAO hack, this DeFi hack took advantage of approvals, which allow a DeFi project to transfer tokens out of a user’s account.  Approving tokens removes the need to explicitly approve each transaction but also makes it possible for tokens to be drained from a user’s wallet by a compromised or malicious project.

Rob Behnke
01.26.2022