Reading time: ~2 m
DeFi security company Dedaub has discovered a vulnerability in the Multichain protocol that could lead to the theft of $1 billion worth of assets.
The vulnerability was first discovered last week when hackers used it to withdraw $2 million worth of cryptocurrencies. Dedaub published a statement on its blog that assets worth 500 times more were at risk of theft. And, as it turned out, there were two vulnerabilities. One of them was in the WETH liquidity pool, and the other was in the smart contract of the router. This is a subsystem that distributes tokens across networks.
“The threat was significant. It can be called the maximum possible for one protocol. In the event of a full exploitation of the vulnerability, a billion dollars worth of assets were at risk. This would be one of the largest hacks in history,” Dedaub writes.
According to computer security experts, hackers could get $431 million in WETH tokens with just one transaction. These funds were stored in just three wallets, including the AnySwap Fantom Bridge address, which had $367 million. Hackers could also withdraw funds from 5,000 wallets of users who did not revoke permission to interact with funds. Another $40 million could have been withdrawn from liquidity pools for other networks by attackers, Dedaub says.
But the main loophole for attackers was in the AnySwap Fantom Bridge. In addition to stealing the $367 million stored in the address, the hackers could double their funds indefinitely by investing tokens on the Ethereum network, receiving them on the Fantom network, and then taking the tokens from the pool on the Ethereum network. At the same time, the assets in the Fantom network would remain legitimate and valuable.
Wallets that have not revoked permissions for Multichain smart contracts remain vulnerable to hackers. The attackers were able to withdraw 1,150 ETH ($2.8 million), but then returned 320 ETH ($780,000). Thus, the losses amounted to more than $2 million. Earlier it was reported that hackers withdrew assets for $1.34 million.
#Vulnerability #Multichain #lead #loss #billion #crypto #assets
