Last week, a popular blockchain platform announced that it had found a flaw that allowed hackers to drain funds from its users.
When Multichain, which allows users to swap tokens between blockchains, made the announcement, it said “the liquidity for these 6 tokens is fixed now,” and a day later it said the hack was “contained,” but users needed to revoke approvals for six tokens in order to avoid being hacked. In other words, Multichain was telling people that the only way to avoid getting hacked was for them to take action. But by telling its users about the vulnerability in such a public way, and putting the onus on them to defend themselves, the company also tipped off hackers that there were vulnerable wallets that could be drained.
And hackers proceeded to drain them. Multiple hackers immediately stole more than $1.4 million, a total that climbed to $3 million soon after. One of the hackers announced on the Ethereum blockchain that they were actually stealing the money with the intention of “saving” it from the other, malicious hackers. In the end, the self-styled "white hat" hacker returned the funds as they promised.
But a week later, users are still getting hacked and losing their crypto. On Monday, Multichain tweeted a list of wallets that are still vulnerable in a public spreadsheet. Until users who own these wallets revoke contact permissions for the affected tokens, the vulnerability will always allow hackers to steal funds.
“This bug caused me to lose 13.11 ETH [around 2,400 USD], this is my emergency use, I am on the verge of bankruptcy, please help me! I need you to pay me back,” a user that goes by Yi Wang said on Multichain's public Telegram channel on Tuesday.
Wang told Motherboard in an online chat that Multichain did not communicate privately with them about the vulnerability, but that there was now way for the company to do that as it doesn’t have their email. Wang’s hope now is that the company will reimburse their losses.
Another user, who goes by 0xCyda, asked in the public channel whether “Multichain has some sort of insurance fund they will pay back the people that had lost money from the Hack?” 0xCyda told Motherboard that his wallet was hacked “three days ago.”
Multichain admins in the channel did not respond to his question directly, but asked him to file a support ticket.
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
At this point, it’s unclear if Multichain will reimburse the hacked users. Multichain admins on Telegram declined to answer when Motherboard asked about the potential reimbursements. The company also did not respond to questions sent via email.
In total so far, hackers have stolen $3.8 million in crypto from Multichain users, Tom Robinson, the co-founder of blockchain tracking firm Elliptic, told Motherboard in an email.
The amount of users getting hacked is now lower than it was last week, but people are still getting hacked, according to security experts who have been following the incident.
“Some users are still in danger of getting hacked, until they remove approvals to the vulnerable contract. In the past 2-3 days, a handful of users every day have been getting hacked because they exchanged other assets into the vulnerable token (WETH) without having removed approvals,” Yannis Smaragdakis, the co-founder of Dedaub, a security firm that alerted Multichain of the vulnerability, told Motherboard in an online chat. “Three days ago it was about 20 users a day, now it's down to 10 or so, mostly small amounts but a couple of bigger swaps.”
There are indications that Multichain is also taking proactive action. Be’ery pointed that there’s a wallet labelled “Multichain (Anyswap): Whitehat Rescue 3" on Etherscan, saying it “could be the contract is attacking for good = White hat that defensively hacks users.” On Twitter, Multichain thanked a user for "protecting" cryptocurrency. "We will return to users accordingly,” the company wrote.
According to Smaragdakis and another security expert, Multichain did all it could to limit the damage. Despite arguably opening its users up to being hacked en masse in the first place, it could have been much worse.
Smaragdakis said that the company “handled this pretty well,” and that it “minimized the damage.”
On Monday, Smaragdakis published a technical report on the vulnerability that caused the hack, which claims that when Dedaub initially found the flaw and started working with Multichain to fix it, there was more than a billion dollars in crypto that could have been stolen.
“This would have been possibly the largest crypto hack ever. $1B is a very conservative exposure calculation,” Smaragdakis said in an online chat, adding that initially there were several avenues where hackers could steal cryptocurrency, and around 5,000 wallets exposed.
After it was alerted to the threat, Multichain worked to close out as many avenues it could, including contacting as many people as it could identify, prompting those people to revoke permissions and secure their funds from hackers.
Smaragdakis explained that when the company made the public announcement “there was nothing else left to do silently, so they needed to go public.” At that point Smaragdakis and Multichain estimated that around $3 or 4 million in crypto were exposed.
Tal Be’ery, the chief technology officer of ZenGo and a researcher who has been following the hack closely, agreed that it could have been worse.
“They did what they could given their lack of preparation for such an event. The only thing they could have done better given the situation is to friendly hack their users first before the hacker did and return funds to the ones who revoked their approvals,” he told Motherboard in an online chat.
Still, Be’ery explained, Multichain could have avoided this vulnerability, and prevented users from getting hacked, if they had included a way to pause or upgrade their smart contract.
UPDATE, 9:31 a.m. ET: This story was updated to include Tom Robinson’s comment.