Multichain Users Lose $1.4M Due to Bridge Bug

Those who have previously used the protocol may need to revoke permissions to keep their funds safe. 

Multichain Users Lose $1.4M Due to Bridge Bug
Shutterstock cover by Dmitry Laudin

Key Takeaways

  • A hacker has stolen over $1.4 million from Multichain bridge users.
  • Although Multichain quickly fixed the exploit, users who have previously approved permissions to outdated contracts are still at risk.
  • Multichain is one of the most popular cross-chain bridges, handling over $500 million in daily transaction volumes.

Share this article

A bug in the Multichain Bridge Protocol has resulted in users losing over $1.4 million to hackers, with millions more potentially still at risk. 

Multichain Bug Hits Bridge Users

Multichain has found a bug in its bridge.

The cross-chain bridge Multichain announced Monday that it had been notified of a vulnerability in its bridging router affecting several tokens. Security firm Dedaub reported to Multichain that users who had approved permissions for WETH, PERI, OMT, WBNB, MATIC, and AVAX on Multichain’s bridging router were at risk of hackers draining their funds. 

“If you ever have approved any of these 6 tokens on the Router please login to remove any approvals of the 6 tokens asap,” reads Multichain’s post covering the vulnerability. Although Multichain has since fixed the bug, users who had previously approved the protocol to use their tokens are still at risk. 

Multichain has also reported that all assets on its V2 Bridge and V3 Router are safe and that users can carry out cross-chain transactions as usual. The protocol also informed users that it would release the technical details of the bug in a subsequent blog post. 

Blockchain security firm PeckShield has identified the address to which a hacker is transferring the stolen funds after exploiting the Multichain bug. So far, 455 ETH worth approximately $1.44 million has been drained from users who have not revoked permissions to their assets. 

It is currently unknown how many previous Multichain users are still at risk. Multichain is currently the ninth-largest DeFi protocol and one of the most popular cross-chain bridges. According to DeFi Llama, the protocol currently handles $8.15 billion worth of assets across 14 different blockchains. 

Last week, the Multichain team announced that its daily transaction volume had surpassed $500 million, mostly due to people transferring their funds to the Fantom network. With such high daily usage, it is likely that millions of dollars worth of assets are still at risk of being stolen through Multichain’s compromised permissions approvals. 

While yield farming protocols have historically been the primary target for DeFi hacks, cross-chain bridge exploits are becoming increasingly common. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than other protocols. Last year, the Poly Network’s cross-chain bridge was the victim of an exploit that allowed a hacker to drain the protocol of over $600 million worth of assets. Although the hacker later returned the stolen funds, the event highlighted the potential security floors of nascent cross-chain bridging technology. 

Multichain has confirmed that affected users can check its approvals link to ensure they haven’t previously approved any of the compromised contracts. Many protocols use Multichain’s bridges to facilitate cross-chain interactions, so even if a user hasn’t directly bridged through Multichain, they may still have approved the protocol’s permissions.

Disclosure: At the time of writing this feature, the author owned ETH and several other cryptocurrencies. 

Share this article