Suspected Malicious Activity Drains AnySwap Tokens via Multichain Executor
According to an on-chain sleuth known as Spreek, a person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol.
Multichain is a cross-chain routing network, established and maintained by a Chinese developer team. It supports in excess of 25 blockchains and more than 1,100 tokens.
$100 million outflow
This revelation comes after abnormal outflows of over $100 million from Multichain bridges on July 7, which were flagged by the Multichain team. Spreek’s report via Twitter on July 10 states that the Multichain Executor address has been draining anyToken addresses across multiple chains and transferring them to a new externally owned account (EOA).
Evidence provided in the report includes an Ethereum transaction, 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe, which called the “anySwapFeeTo” method on the Multichain Router: V4 contract. This transaction resulted in approximately $15,275.90 worth of anyDAI being minted on Ethereum, sent to the Multichain Executor, burned, and exchanged for the underlying DAI backing the asset.
The funds from these transactions were sent to the following address:0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Similarly, on the BNB Smart Chain (BSC), the Multichain Executor used the anySwapFeeTo function to convert $208,997 worth of anyUSDC into Binance-pegged USDC and sent them to the same address. Additionally, 50.80 anyBTC, equivalent to $39,251.43 at the time, was converted into Binance-pegged Bitcoin and sent to the address.
In total, approximately $263,524.33 worth of tokens were sent to this address through the anySwapFeeTo method. Spreek suggests that this behavior could be part of the protocol’s normal functioning. However, a different account engaged in similar activity the day before and ultimately sold the drained tokens, indicating malicious intent.
Potential exploit
Spreek theorizes that the attacker may be exploiting the anySwapFeeTo function by setting fees to an arbitrarily large amount, allowing them to drain users’ funds. The function apparently permits setting any value, enabling the address to choose the total value of the token held in that anyToken.
The Multichain incident has puzzled blockchain analysts, as it remains unclear whether it resulted from an exploit or if it was simply large token-holders moving their funds between networks. The mystery began on July 7 when over $100 million worth of tokens were withdrawn from the Ethereum side of Multichain’s bridges and transferred to wallet addresses with no prior transactions. This represented the majority of funds held on each bridge.
Hack or rug pull
The Multichain team labeled these withdrawals as “abnormal” and advised users to stop using the protocol. However, they have not disclosed the source or nature of the anomaly. In response to the incident, stablecoin issuers Circle and Tether froze some of the addresses involved in the suspicious transactions. Chainanalysis, a blockchain analytics firm, has commented that the incident appears more like a hack or rug pull rather than a migration.
Adding to the complexity, the Multichain team has reported that their CEO is missing, and they have shut down certain bridges due to losing access to some of the network’s multi-party computation network servers. There have been various concerns relative to Multichain since May. The situation continues to evolve, with ongoing investigations and efforts to mitigate any potential damage caused by the suspected malicious activity.
