A person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol, according to a July 10 report by chain detective and Twitter user Spreek. The report follows outflows of more than $100 million from Multichain bridges that occurred on July 7, which the Multichain team reported as “abnormal.”
The Multichain Executor address has been draining anyToken addresses on many chains today and has moved them all to a new EOA pic.twitter.com/gqDaXMBl96
— Speak (@speakaway) July 10, 2023
According to Spreek's report on July 10, "the Multichain Executor address has been draining anyToken addresses on many chains today and has moved them all to a new EOA [externally owned account].”
An image attached to the post shows Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe. Blockchain data reveals that this transaction called the "anySwapFeeTo" method in the Multichain Router: V4 contract, which generated approximately $15,275.90 worth of anyDAI, a derivative version of Dai (ICD) stablecoin, which will be minted on Ethereum and sent to the multi-chain executor, who will then burn it and exchange it for the underlying DAI backing the asset.
In a separate comment, Talk saying Funds are sent to the following address: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Data from the Ethereum blockchain shows that this address received the DAI redeemed from the Multichain Executor on July 10, about five minutes after the previous transaction.
BNB Smart Chain (BSC) data shows that Multichain Executor is also called the anySwapFeeTo feature on their network worth $208,997 from anyUSDC. This resulted in $208,997 worth of tokens being converted to its underlying Binance-pegged USDC, which was subsequently sent to this very address. In other BSC transactions, the contract used this process to convert 50.80 anyBTC, worth $39,251.43 at the time, to the Bitcoin equivalent pegged to Binance and send it to this address.
Transactions total approximately $263,524.33 in tokens sent to this address via the anySwapFeeTo method.
Spreek said that this behavior could be part of the normal operation of the protocol. On the other hand, a different account had behaved similarly the day before, Spreek claimed. The other account eventually sold the drained tokens, providing evidence that it was malicious:
“It is not clear if this is authorized behavior. Previously, the same method was used yesterday by a different MPC address in the anyUSDT token on the mainnet. The tokens were then immediately sold back to ETH, suggesting that that similar address was the action of a malicious actor.”
On-chain detective theorized that the attacker may be using the anySwapFeeTo function to set fees at an arbitrarily large amount, allowing them to drain user funds. This function "[a]it apparently allows you to set ANY value, so the address simply chooses the total value of the token contained in that anyToken,” Spreek stated.
The Multichain incident has puzzled blockchain analysts as no one has been able to prove whether it was the result of an exploit or simply the result of large tokenholders moving their funds between networks. The mystery began on July 7, when more than $100 million worth of tokens were removed from the Ethereum side from Multichain's Fantom, Moonriver and Dogechain bridges and sent to wallet addresses with no prior transactions. These withdrawals represented the majority of the funds held at each bridge.
The Multichain team declared the withdrawals “abnormal” and told users to stop using the protocol. However, the team did not state what the source of the anomaly was or could be.
On July 8, stablecoin issuers Circle and Tether froze some of the addresses who received funds linked to the strange transactions. On July 11, blockchain analytics firm Chainanalysis said the incident "It looks more like a hack or a pullpull and less like a migration."
The Multichain team says that their The CEO is missing and that they have closed some bridges because they no longer have access to some of the computer network servers from multiple parts of the network.
Post navigation
