Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
The cross-chain bridge project Multichain issued an announcement stating that the newly launched V3 cross-chain liquidity pool was hacked in the early hours of yesterday, with a total loss of 2.39 million USDC and 5.5 million MIM. According to Etherscan, the hacker has sold all MIMs and obtained 548 Million DAI, which means that Multichain's total loss is more than 7.87 million U.S. dollars. According to the explanation of the reason for the theft in the Multichain announcement, two v3 router transactions were detected under the V3 router MPC account on the BSC. These two transactions have the same R value signature, and the hacker reversed the private key of this MPC account. At present, the team has fixed the code to avoid using the same R signature. Multi-chain router V3 will restart in about 48 hours. There is no security risk for v1 and v2. Multichain stated that it has taken remedial measures to provide full compensation. Multichain will refill the stolen liquidity within 48 hours, and the liquidity provider will be able to withdraw assets from the fund pool again without any loss. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 7,870,000.
- chain
- bsc
- protocol
- Multichain
- bug_class
- private-key
- date_occurred
- 2021-07-11
- loss_usd
- $7,870,000
- source_id
- sm:multichain::2021-07-11