In Brief:
- Multichain protocol suffers the loss of $3M after continuous hacks.
- A whitehat hacker returned $813k to a victim and kept the remaining $150k for himself.
- Multichain has yet not provided any details on refunding the affected users.
Users are infuriated as the hackers continued to exploit the vulnerability in Multichain Protocol with now the losses reaching up to $3 million.
According to a report, one of the hackers stole $1.4M, and another one offered to return 80% of the funds stolen back to the affected users and keep the rest as “tips for me saving your money.”
A few days back Multichain requested its users to revoke wallet permissions granted to the six affected tokens when the vulnerability was first found. The tokens were WETH, PERI, OMT, WBNB, MATIC, and AVAX.
The protocol later announced its team has fixed the vulnerability but when PeckShield reported that the bug is being exploited and reported the stolen funds are worth $1.34M, the firm again reminded its users to revoke permissions and didn’t give any extra details.
The announcement encouraged hackers to exploit the vulnerability and the situation escalated with the lost amount just kept increasing.
Tal Be’ery, a cybersecurity analyst and CTO of crypto wallet ZenGo who has been keeping an eye on the hack, later reported that the hackers stole about $3M.
A user who did lose $960k offered the hacker’s address 50 ETH in exchange for the remaining funds.
The whitehat hacker later returned 259 ETH, approximately $813k, and kept the remaining $150k for himself.
Be’ery tweeted that Multichain contacted the original address, which has been holding over 450 ETH in stolen funds since January 18 and offered the hacker a bug bounty for exploits.
Be’ery called out Multichain for how it handled the vulnerability, claiming that by publicizing the issue before alerting all users, the firm edged the hackers and encouraged them to start extorting funds. Be’ery said Multichain should win the Pwnie Award “for the worst way to treat a vulnerability.”
Victims are wondering if the company will refund their money and are complaining that scammers are impersonating the firm in order to steal even more money from users. Multichain has still not commented on the whole event and turned off the replies on their Twitter account.
