Multichain announced to reimburse 100% of users' losses
SINGAPORE, Feb. 21, 2022 /PRNewswire/ -- On January 10, 2022, Multichain was alerted to two critical vulnerabilities with the Multichain liquidity pool contract and router contract by Dedaub, which later confirmed to affect eight tokens (WETH, WBNB, MATIC, AVAX, MFI, WSPP, TLOS, IOTEX). The vulnerability of the liquidity pool was fixed soon after it was reported, as Multichain upgraded the affected tokens liquidity to new contracts. However, the risk remains for the users who have yet to revoke approvals for the affected router contracts. Importantly, users themselves have to be the ones to revoke the approvals. As such, Multichain made an official announcement about this vulnerability on January 18 and urged the users to take actions immediately as instructed.
Status now (as of February 18 24:00 UTC)
- A total of 7,962 user addresses are affected, 4861 addresses have revoked their approvals, while the remaining 3101 addresses have as yet not done so and still need to take action as soon as possible.
- A total of 1,889.6612 WETH and 833.4191 AVAX has been exploited, from which 912.7984 WETH and 125 AVAX were rescued by the joint efforts of Multichain and whitehats.
After one-month efforts to notify all affected users, over 61% have revoked their approvals so far. According to the monitoring system data by Dune Analytics, the attacks mainly happened in the first week after the exploitation was released. The hack transaction and amount have plunged since January 25. The past two weeks have seen a few attacks of very low amounts.
Compensation plan
Together with the joint efforts of whitehats, Multichain has successfully rescued 912.7984 WETH and 125 AVAX from hackers, nearly 50% of the total stolen funds. However, in spite of its best efforts, a total of 976.8628 WETH has been stolen.
The team initiated a proposal to reimburse 100% of users' losses, and for safety concerns the funds (including the miner fee) will be returned to users who a) have revoked their approvals and b) have submitted a ticket at Multichain help desk. It's been one month since Multichain disclosed the hack and urged users to revoke the approvals, and the team has pursued every option available to notify all users of the risk. As such Multichain will not reimburse any losses that happen after February 18 24:00 UTC.
Multichain will continue to make every effort to rescue as much funds as possible, and will keep everyone updated. Any funds rescued after February 18 24:00 UTC will be refunded to users (minus the miner fee).
Again, Multichain strongly urged users who ever gave approvals to the affected token contracts to revoke before sending any tokens to their wallets. Please use this tool to check and revoke via Multichain UI.
Bug Bounty Payment
Multichain expressed its sincere thanks to Dedaub for reaching out to it at the very moment they found the vulnerability, and assisting to battle against the attacks. The team will reward Dedaub with its maximum bug bounty of $1M for each of the two vulnerability disclosures.
Shout-outs also give to
Everyone who jumped in and reached out to offer help at the critical moment, including Etherscan Team, Sorbet Finance, Ava Labs, Sushiswap, Spookyswap, Metamask, Polygon, Opensea, Looksrare, Tether, Popsicle Finance, Frax Finance, Gemini, Synapse Protocol, BlockSec, 0xlosha, MevRefund and all the community members.
Actions taken to prevent this from happening again
- Further rounds of security audit. Further rounds of security audits on contracts, cross-chain bridges and MPC will be conducted. The team will make continuous efforts to make security enhancements on the whole cross chain bridge architecture and closely monitor all new contracts.
- MULTI Security Fund. Multichain will initiate a governance proposal of the Security Fund. The security fund is used to take necessary and possible rescue measures for asset losses caused by possible vulnerabilities in Multichain's own system and service.
- Bug Bounty Program. Multichain will work with Immunefi on the Bug Bounty program to encourage the community to continue to review Multichain code and security. Multichain believes it's important to make the good guys stay motivated and make sure they know they are appreciated. The team will provide a reward of $500 to $1,000,000 for discovering and submitting vulnerabilities. Click here for more details.
- Free public supervision API. The approval-revoke API developed for this incident has been demonstrated to be effective. The protocols which integrate this API can easily detect and then alert affected user addresses to take actions accordingly. Multichain is updating it and will offer a free public API for all projects.
Multichain thanks all for their patience to learn and understand this incident. The team appreciates every supporter and honor their trust in Multichain. Multichain will learn from this incident and emerge stronger and better. It has been working hard and will continue to do its best to serve as the ultimate cross-chain router for Web3.
SOURCE Multichain
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article