The “ultimate cross-chain router for Web3” Multichain recovered nearly $2.6M in lost funds from recent liquidity pool and router contract exploits.
The Multichain protocol announced the recovery of 50% of stolen funds from an exploit first identified on Jan. 10, 2022.
Blockchain security company Dedaub notified Multichain about two soft spots in its liquidity pool and router contracts, which affected Wrapped ETH (WETH), Wrapped BNB (WBNB), Polygon (MATIC), and Avalanche (AVAX). Almost 913 WETH and 125 AVAX were recovered. Over 976.8628 WETH is still unaccounted for.
On Jan. 18, 2022, Multichain advised users to withdraw approvals for the vulnerable smart contracts. Unfortunately, the warning elicited more attacks, leading to losses above $3M. Multichain remedied the vulnerability of the liquidity pool by upgrading the tokens’ liquidity to new contracts, saying, ”However, the risk remains for the users who have yet to revoke approvals for the affected router contracts. Notably, users themselves have to be the ones to revoke the approvals.”
A total of 4861 addresses have revoked their approvals, while 3101 have not. There was a compensation plan in place to restore user funds. The compensation plan expired on Feb. 18, 2022. Users had to revoke their approvals and submit a support ticket to qualify for a reimbursement. Multichain said they would continue trying to recover the lost funds and reimburse users after Feb. 18, 2022, minus the miner fee.
Meter was also hacked in Feb. 2022
Earlier in Feb. 2022, a blockchain infrastructure company Meter had a bridge vulnerability exploited that saw large amounts of BNB and WETH minted, depleting bridge reserves. Meter specializes in cross-chain functionality and provides an Ethereum Virtual Machine-compatible sidechain that connects to Ethereum decentralized applications and any public blockchain.
Way forward for Multichain
Policies have been put in place to avoid such vulnerabilities in the future. Additional rounds of security audits on contracts and cross-chain bridges will be conducted. They have promised that their team will continually enhance security on the cross-chain bridge architecture and closely monitor all new contracts. Multichain is also proposing a Security Fund subject to a vote via governance tokens. The fund will be used to take steps to implement rescue schemes for digital assets lost caused by Multichain’s own infrastructure. There will be rewards of $500 to $1M given to community members if they identify vulnerabilities in Multichain’s code.
Multichain has expressed their gratitude to security firm Dedaub for informing them about the attack. They will reward Dedaub with $1M for each vulnerability identified and communicated.
What do you think about this subject? Write to us and tell us!