Hackers continue to exploit a critical vulnerability in the Cross-chain Routing Protocol (CRP) Multichain, which was first reported on Jan. 17.
Earlier this week, Multichain urged users to revoke approval for six tokens in order to protect their assets from exploitation by malicious individuals.
However, Multichain’s Jan. 17 announcement encouraged more hackers to attempt to exploit the vulnerability. One of them stole $1.43 million, and the other offered to refund 80 percent and keep the rest as a tip. According to Tal Be'ery, co-founder of ZenGo Wallet, the amount stolen has now risen to $3 million.
The hacking of Multichain is far from over.
Over the past few hours, more than $1 million has been stolen, bringing the total stolen to $3 million.
One victim lost $960,000!
— Tal Be'ery (@TalBeerySec) January 19, 2022
6 supported coins are still affected by the security breach, including WETH, PERI, OMT, WBNB, MATIC, and AVAX.
Users on social media accused the company of not providing them with clear enough information or support. A user who lost $960,000 offered 50 ETH to the hacker's address in exchange for the remaining funds.
The company claimed on Jan. 17 that critical bugs affecting the six tokens had been reported and fixed on Jan. 17, but reminded users again on Jan. 19 to revoke approval for the tokens. Multichain has since turned off comments on its recent tweet.
Crypto Twitterer "ChainLinkGod" said he was "incredibly confused" by the platform's notification, while "drarreg17" asked how Multichain would "compensate users like me who were affected by the attack?"
I can't be the only one who is incredibly confused by Multichain's notifications
Schrödinger's money, both safe and insecure
- Chain Link God. eth 2.0 (@ChainLinkGod) January 19, 2022
Disgruntled users posted on the company's Telegram group today complaining that Multichain has not yet addressed security flaws or provided users with the support they seek.
Multichain appears to be offering a "bounty" (or in other words, actually paying a ransom) to the attackers
— Tal Be'ery (@TalBeerySec) January 18, 2022
According to Be'ery, the company located the original address holding more than 4.50 ETH ($1.43 million) of stolen funds since January 18 and offered a "bug bounty" to the hackers.
Multichain (formerly Anyswap) aims to be the ultimate router for Web 3.0. The ecosystem supports 30 chains including Bitcoin, Avalanche, Ethereum, Fantom, Litecoin, Terra, and offers slippage-free swaps.
With TVL reaching nearly $9 billion, it is unclear when and how Multichain will handle the situation. Cointelegraph has reached out to the project for comment.
Cointelegraph Chinese is a blockchain news information platform, and the information provided only represents the author's personal opinion, has nothing to do with the position of the Cointelegraph Chinese platform, and does not constitute any investment and financial advice. Readers are requested to establish correct currency concepts and investment concepts, and earnestly raise risk awareness.
Miyuki
Aaron
Bitcoinist
Beincrypto
dailyhodl
Others
Cointelegraph