After a month-long fight against an ongoing exploit, cross-chain router protocol Multichain announced the recovery of nearly 50% of the total stolen funds, worth nearly $2.6 million of cryptocurrencies. The team has also released a compensation plan to reimburse the users’ losses.
On Jan. 10, blockchain security expert Dedaub alerted Multichain about two vulnerabilities in its liquidity pool and router contracts — affecting eight cryptocurrencies including wrapped ETH (WETH), wrapped BNB (WBNB), Polygon (MATIC) and Avalanche (AVAX).
1/3 We recently identified the “phantom functions” code pattern, which would have led to likely the largest crypto hack ever.
Your code may be vulnerable! You need to check for the pattern in your Solidity/EVM code! https://t.co/pxRqCQFbnS
— Dedaub (@dedaub) January 27, 2022
A week later on Jan. 18, the Multichain team advised users to revoke approvals for the vulnerable smart contracts as a means of immediate damage control. However, as Cryptox reported, the warning announcement encouraged more hackers to try the exploit, resulting in losses exceeding $3 million.
The @MultichainOrg hack is far from being over.
Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M.
One victim lost $960K!https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s— Tal Be’ery (@TalBeerySec) January 19, 2022
According to Multichain, the vulnerability of the liquidity pool was fixed by upgrading the affected tokens’ liquidity to new contracts, adding:
“However, the risk remains for the users who have yet to revoke approvals for the affected router contracts. Importantly, users themselves have to be the ones to revoke the approvals.”
As of Feb. 18, Multichain reported that 4,861 out of the 7,962 affected users have revoked approvals while advising the remaining 3,101 addresses to take action as soon as possible. Out of the 1,889.6612 WETH and 833.4191 AVAX stolen funds, the team was able to recover 912.7984 WETH and 125 AVAX (worth nearly $2.55 million and $10,000 respectively).
“However, in spite of our best efforts, a total of 976.8628 WETH has been stolen,” confirmed Multichain. To be eligible for compensation through reimbursement of losses, Multichain has asked users to revoked their approval and submit a ticket on the website. “As such, we will no longer reimburse any losses that happen after February 18 24:00 UTC.”
Related: Netflix announces new series on Bitfinex hack involving 120,000 Bitcoin
Netflix will soon produce and launch a documentary series circled around a New York-based couple and their involvement in laundering Bitcoin (BTC) linked to the Bitfinex hack.
As Cryptox reported, the documentary will be directed by American filmmaker Chris Smith with Nick Bilton as the co-executive producer. The announcement read:
“Netflix has ordered a documentary series about a married couple’s alleged scheme to launder billions of dollars worth of stolen cryptocurrency in the biggest criminal financial crime case in history.”