Web3 cross-chain router Multichain formerly Anyswap announced that it has recovered roughly $2.6 million which is 50% of the lost funds from the recent liquidity pool and router contract exploits first identified on Jan 10, 2022. Following the attack, Multichain ask users to withdraw approvals for the vulnerable smart contracts.
Unfortunately, the warning led to more attacks, with estimated losses above $3 million. Multichain was able to fix the vulnerability of the liquidity pool by upgrading the tokens’ liquidity to new contracts, stating,
“However, the risk remains for the users who have yet to revoke approvals for the affected router contracts. Notably, users themselves have to be the ones to revoke the approvals.”
As per the blog post, out of a total of 7,962 user addresses, 4861 addresses have revoked their approvals, while 3101 have not. The team initiated a compensation plan to restore user funds which expired on Feb. 18, 2022.
The blog went on to add that to qualify for a reimbursement, users had to revoke their approvals and submit a support ticket. Multichain said they would continue trying to recover the lost funds and reimburse users after Feb. 18, 2022, minus the miner fee.
Blockchain security firm Dedaub alerted Multichain about two soft spots in its liquidity pool and router contracts, which affected Wrapped ETH [WETH], Wrapped BNB [WBNB], Polygon [MATIC], and Avalanche [AVAX]. Almost 913 WETH and 125 AVAX were recovered. Over 976.8628 WETH is still unaccounted for.
Stablecoin issuer Tether too stepped in by freezing an Ethereum address holding over $715,000 worth of USDT, according to data from block explorer site Etherscan. Earlier in Feb. 2022, a DeFi infrastructure provider Meter had suffered a bridge vulnerability that saw large amounts of BNB and WETH minted, depleting bridge reserves.
Multichain future action
The team through the post assured that relevant measures have been put in place to avoid such future vulnerabilities. There would be increased rounds of security audits on contracts and cross-chain bridges to be conducted.
The cross-chain platform is also proposing a Security Fund subject to vote via governance tokens. The fund would be utilized to implement rescue schemes for digital assets lost caused by Multichain’s own infrastructure. Multichain decided to award Dedaub with $1M for each vulnerability identified and disclosed as part of their maximum bug bounty payment.