Key takeaways:
- Multichain suspended operations today after verifying the erroneous payment transfers.
- The exploit includes USDC, Wrapped Ether (WETH), and Wrapped Bitcoin (WBTC). Over $126 million is stored at the wallet address of the exploiter.
Multichain, a cross-chain protocol, suspended operations today after verifying the erroneous payment transfers from its MPC address.
According to blockchain security company Peckshield, Multichain was breached for $126 million, with money being transferred from its Fantom (FTM) and Moonriver bridge by the attacker.
The exploitation involved withdrawing digital assets valued at more than $102 million from Multichain’s Fantom bridge contract on the Ethereum network. This includes $58 million in USDC, $13.6 million in Wrapped Ether (WETH), and $31 million in Wrapped Bitcoin (WBTC). Over $126 million is stored at the wallet address of the exploiter.
Multichain recommended users to cancel any protocol-related approvals after the event. All on-chain services provided by Multichain have been terminated, and their uptime has been ruled out. A statement from the Fantom Foundation stated that it was “evaluating the circumstances and will provide an update as soon as we have more to share.”
In spite of the fact that Multichain has not yet disclosed the specifics of the exploit, early responses from the community point to a potential compromise of the protocol’s private key. The attack was linked to a private key compromise, according to CertiK, its smart contract auditor, who also noted that this was beyond the purview of its prior audit.
Loki Zeng, an on-chain detective, backed up this assertion by pointing out how lengthy the asset transfer was. According to Zeng, the attacker might have gained total control of the protocol’s private key fragments that surpass the threshold.
The study shows that the asset transfer, which included only 2 USDCs, took place over a significant period of time. Before the assignment, there is a test. It demonstrates that the transferor’s sustainability is verified prior to the transfer. After each asset is transferred to a separate wallet, nothing more happens. Even without gas, the receiving wallet is entirely clean.
In addition, the “Method of Attack” is simple. There is no contract, a straightforward assignment, and a test. A hacker might not be the assailant. The operator might not have complete discretion because the assignor has not completed additional processing and execution.
The impact of the vulnerability is said to spread to additional chains like Kava, Dogechain, Conflux, and ETHW, according to 0xScope. Multiple stablecoin assets across these chains have depegged, the company continued.
Since FTM was never distributed or controlled by Multichain, FTM over wFTM, FTM ERC-20, and Opera will not be impacted, according to the Fantom Foundation, which recently sought to break free of influence.
The team behind the ICE cryptocurrency project, according to Daniele Sestagalli, has chosen to destroy the $1.85 million worth of ICE tokens affected by the exploit. He also said that a new coin called WAGMI would be airdropped to users of the Fantom Multichain from the burned tokens.
In light of the current difficulties, Binance halted support for eight bridging tokens from the cross-chain protocol earlier this week until further notice.
