Alleged Drainage of AnySwap Tokens by Multichain Executor Revealed in Report

An intriguing discovery has been made by on-chain investigator and Twitter user Spreek, suggesting that an individual is utilizing the Multichain Executor to drain tokens associated with the AnySwap bridging protocol. This revelation follows a series of abnormal outflows totaling over $100 million from Multichain bridges on July 7, as reported by the Multichain team.

According to Spreek’s report on July 10, “The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA [externally owned account].”

Accompanying the post is an image displaying Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe. Analysis of blockchain data reveals that this transaction invoked the “anySwapFeeTo” function on the Multichain Router: V4 contract. Consequently, approximately $15,275.90 worth of anyDAI, a derivative version of the Dai stablecoin, was minted on Ethereum and subsequently sent to the Multichain Executor. The tokens were then burned and exchanged for the underlying DAI assets.

Further investigation reveals that the funds were directed to the address 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Ethereum blockchain data indicates that this address received the redeemed DAI from the Multichain Executor on July 10, a mere five minutes after the previous transaction.

Additional data from the BNB Smart Chain (BSC) highlights that the Multichain Executor executed the anySwapFeeTo function on the network, converting $208,997 worth of anyUSDC into its underlying Binance-Pegged USDC. These converted tokens were subsequently transferred to the same address. In other BSC transactions, the contract performed a similar process, converting 50.80 anyBTC, valued at $39,251.43 at the time, into Binance-Pegged Bitcoin, and sending it to the mentioned address.

Cumulatively, these transactions amount to approximately $263,524.33 worth of tokens being sent to the specified address via the anySwapFeeTo method.

Spreek suggests that this behavior could potentially be a normal aspect of the protocol. However, the investigator notes that a different account engaged in similar actions the day prior, eventually selling the drained tokens. This provides evidence to suggest that malicious intent was involved:

“It is unclear whether this is authorized behavior. Previously, the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that that similar address was the actions of a malicious actor.”

Spreek speculates that the attacker might be exploiting the anySwapFeeTo function by setting fees to an arbitrarily large amount, allowing them to drain users’ funds. According to Spreek, this function allows for setting any value, with the address opting for the total value of the token held in the respective anyToken.

The Multichain incident has left blockchain analysts puzzled, as they struggle to determine whether it stems from an exploit or is simply a result of significant token holders transferring their funds between networks. The mystery unfolded on July 7 when over $100 million worth of tokens were withdrawn from the Ethereum side of Multichain’s Fantom, Moonriver, and Dogechain bridges, and sent to wallet addresses with no prior transactions. These withdrawals accounted for the majority of funds held on each bridge.

While the Multichain team acknowledged the abnormality of the withdrawals and urged users to halt their usage of the protocol, they have not disclosed the exact source or nature of the anomaly.

Following the strange transactions, stablecoin issuers Circle and Tether froze some of the addresses associated with the received funds on July 8. On July 11, blockchain analytics firm Chainanalysis suggested that the incident appears more likely to be a hack or rug pull rather than a planned migration.

Complicating matters, the Multichain team has revealed that their CEO is missing, and they have temporarily suspended certain bridges due to a loss of access to some of the network’s multi-party computation network servers.

For more news, find me on Twitter or subscribe to my YouTube channel.

What is your opinion on this issue? Leave me your comment below! I’m always interested in your opinion!

Leave a Reply

Your email address will not be published. Required fields are marked *

Recommended for you