The amount stolen from Multichain users has reached $3 million

Unknown actors continue to exploit a vulnerability in the Multichain cross-chain protocol, which developers disclosed earlier in the week. According to Tal Be’ery, the chief technology officer of the ZenGo crypto wallet, hackers have already withdrawn around $3 million in digital assets.

The @MultichainOrg hack is far from being over.
Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M.
One victim lost $960K!https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s

— Tal Be’ery (@TalBeerySec) January 19, 2022

On Monday, January 17, the Multichain team reported a vulnerability affecting six tokens: WETH, PERI, OMT, WBNB, MATIC and AVAX. The next day PeckShield analysts said that unknown actors exploited the exploit and withdrew more than 450 ETH (about $1.4 million at the price at the time).

Later the protocol developers said the incident affected 445 users. Representatives of the project urged following the published instructions to keep funds safe.

Be’ery noted that one of the attackers’ victims lost about $960,000. The victim left an Ethereum blockchain entry requesting the return of the cryptocurrency for a reward.

The hacker accepted the offer and returned the assets in exchange for 50 ETH (about $157,200).

And it’s a deal!
The #multichain attacker / “white hat” returned the funds to the ~$1M, minus $150K “tip” as offered by the victim.#MultichainHack https://t.co/jAX6furhHi pic.twitter.com/EkGvwifoef

— Tal Be’ery (@TalBeerySec) January 20, 2022

«Прежде всего, спасибо, что вы получили WETH. Я не знал о взломе и осознал ситуацию только потому, что WETH так и не поступили в мой кошелек после транзакции на CowSwap. Учитывая стоящую на кону сумму, приняли бы вы 50 ETH в качестве справедливых чаевых?», — написал пользователь в обращении к хакеру.

Be’ery noted that the Multichain developers also contacted the attackers. He pointed out that they contacted the адресом, on which 445 ETH of the stolen funds were stored, and offered a bounty for the discovered exploit.

Seems like @MultichainOrg reached out to the attackers offering them “bounty” (or in other words, actually paying ransom)https://t.co/DzUGUF3vX0 https://t.co/iKLh0HCBXG pic.twitter.com/yC3QEeiZhJ

— Tal Be’ery (@TalBeerySec) January 18, 2022

Meanwhile PeckShield reported another Multichain vulnerability affecting cross-chain bridge liquidity providers. The firm noted that the developers used an administrator key to move funds out of the affected contracts.

FWIW: We are talking about a different exploitation that affects the bridge LP providers, instead of approving users. The vulnerability is of the same nature of the one being exploited in-the-wild. Fortunately, the team exercises the MPC admin key for fund rescue/migration.

— PeckShield Inc. (@peckshield) January 20, 2022

The project’s community criticized the team for providing ambiguous information about the incident and for insufficient user support. The Multichain Twitter account disabled the ability to comment on posts.

I can’t be the only one who’s incredibly confused by @MultichainOrg’s messaging here

Schrodinger‘s funds, both safe and unsafe at the same time pic.twitter.com/AW8s8aAhHk

— ChainLinkGod.eth 2.0 (@ChainLinkGod) January 19, 2022

In a discussion with Vice, the Multichain Telegram channel administrator going by the nickname Marcel said the team is taking certain steps, though not publicly announcing them.

Back in December 2021, Multichain attracted $60 million from Binance Labs, Circle Ventures and the Tron Foundation.

Subscribe to ForkLog news on VK.