Hackers took advantage of a vulnerability in a blockchain service to steal around $1.4 million from users earlier this week. In an unexpected turn of events, one of the hackers is now negotiating on the blockchain itself, offering to return 80 percent of money to the victims, keeping the rest as “tips.” And the hacked company appears to be offering the second hacker a bounty.
This hacker, who called themselves a “white hat”—an industry term that refers to hackers who have no malicious intent—made their promise in a message attached to a transaction that was posted on the Ethereum blockchain on Wednesday.
“Whitehat here, send me the [transaction] you lost your wether [wrapped ether], I give 80% back. The rest is the tips for me saving your money,” the hacker wrote in the message, which was spotted by cybersecurity researcher Tal Be’ery.
“Hi, we offer bounty for exploits,” Tung Dinh, a developer who works for Multichain, wrote in a message posted on the blockchain yesterday, before the second hacker posted their message. “Thanks.”
The hack began on Monday, when Multichain, a platform that allows users to swap tokens between blockchains that was previously known as Anyswap, announced in a Medium post that there was a vulnerability that affected six cross-chain tokens. Swapping tokens using Multichain requires users to set approvals for the platform’s contract in their cryptocurrency wallet, and these approvals are what the hackers exploited. Not just one hacker, but at least two, according to security experts who are tracking the hack.
The company asked users to remove approvals for the six tokens affected by the vulnerability, otherwise these could be “at risk.” The platform has also disabled swaps for the affected tokens.
In its official Telegram channel, the company wrote in a message on Wednesday that “the hack is contained for now,” but that the hacker stole 445 WETH, the equivalent of around $1.4 million. Users’ funds, however, are still “potentially to be lost” if users don’t revoke approvals. Multichain shared the same message in a public Medium post.
Yannis Smaragdakis, the co-founder of Dedaub, a security firm that alerted Multichain of the vulnerability, told Motherboard that the flaw “was mostly mitigated.”
“What’s left is approvals that are slowly being exploited, it is fortunate if indeed the flashbot attacker is a white hat,” he said in a phone call, referring to the technique—flashbot—the hacker is using to increase their chance to steal the funds first.
Those vulnerable accounts, with approvals that are yet to be revoked, are the ones that the second hacker, and some others, are targeting now, according to researchers who are monitoring the hack.
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
“The ‘white hat’ hacker exploited vulnerable wallets in a way that increases their chance to steal the funds before anyone else does,” according to Be’ery, the chief technology officer of ZenGo, a crypto wallet app, who has been monitoring the hack.
Be’ery told Motherboard in an online chat that Multichain “mishandled this situation.”
“They had publicly announced a vulnerability existed in their smart contracts and asked users to actively revoke their approvals (= to actively send a transaction in some dapp) for the vulnerable contract. However, users are not monitoring social media 24/7 and cannot act so quickly,” Be’ery said. “Attackers on the other hand do. The announcement tipped the attackers, that were quick to come up with an exploit to steal > $1.6M. What Multichain should have done is to defensively hack their vulnerable users before attackers do and then send the users money back once the users are ‘fixed’ by revoking their approval.”
Multichain did not immediately respond to a request for comment via email. Dinh, the developer who offered the bounty, told Motherboard in a Telegram message that “details will be released later.”
In the official Multichain Telegram channel, several users are asking to be compensated, and warning that there are people sending direct messages to users in an attempt to scam them.
The hack on Multichain is just the latest in a long string of breaches against cryptocurrency and blockchain services. In the last few months alone, hackers have stolen more than $400 million in cryptocurrency in more than a dozen separate attacks, including those against PolyNetwork ($600 million), BadgerDAO ($119 million), VulcanForge ($140 million).
The attack against PolyNetwork bears some resemblance to the one against Multichain. That one became a saga. The hacker first stole $600 million, then the company pleaded with them in an open letter asking for the funds to be returned, going as far as offering a reward and a job title as “Chief Security Advisor.” Just like with Multichain, that negotiation happened on the blockchain. Against all odds, the hacker ended up returning all the money.
Just this week, Crypto.com, one of the largest cryptocurrency exchanges in the world, said that an “incident” led to a hacker stealing $15 million from the platform’s users.
There is no evidence at this point that the so-called “white hat” hacker who exploited the Multichain vulnerability is indeed going to return the money.