Cross-chain protocol Multichain was seemingly exploited last week, losing around $126 million worth of assets, according to blockchain security firms’ estimates. At the time, the team disclosed they were unsure of what had caused the abnormal outflows, urging users to revoke all contract approvals to the protocol.
On July 10, on-chain sleuth Spreek highlighted a series of suspicious transactions from the Multichain executor address, which had been “draining anyToken addresses across many chains…and moving them all to a new EOA [externally owned account].”
It is unclear whether this is authorized behavior. Previously the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that that similar address was the actions of a malicious actor.
— Spreek (@spreekaway) July 10, 2023
Independent reporter Wu Blockchain found that Multichain had recorded another $117 million worth of outflows that had been transferred to a new address “0x1eed63efba5f81d95bfe37d82c8e736b974f477b.”
In the past 12 hours, Multichain experienced a large number of abnormal outflows again, and all the abnormal outflow assets were basically transferred to the new address: 0x1e…477b, worth about 117 million US dollars.
11.91m DAI, 13,146 ETH, 10.1m USDC, 64m USDT, 52 BTC…
— Wu Blockchain (@WuBlockchain) July 11, 2023
According to the address profile on wallet tracker DeBank, the amount of tokens held at this address is now valued at $106 million.
In a report summarizing the exploit published earlier this week, blockchain analytics firm Chainalysis noted that the Multichain attacker would have needed to gain control of a sufficient number of the protocol’s multi-party computation (MPC) keys in order to carry out the hack.
“It’s also interesting that the attacker did not swap out of centrally controlled assets like USDC, which can be frozen by the issuing company,” wrote the Chainalysis team.
Indeed, stablecoin issuers Circle and Tether froze around $65 million worth of funds related to the Multichain exploit.
Web3 security firm Beosin speculated that, based on the on-chain behaviour of the Multichain exploiter, it was highly likely that the exploit was the result of an internal operation.
Another $103M has been transferred from #MultiChain to the 0x1eed63efba5f81d95bfe37d82c8e736b974f477b address.
— Beosin Alert (@BeosinAlert) July 11, 2023