Multichain Executor has been ‘draining’ AnySwap tokens: Report
A person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol, according to a July 10 report from on-chain sleuth and Twitter user Spreek. The report follows outflows of over $100 million from Multichain bridges that occurred on July 7, which were reported by the Multichain team as “abnormal.”
The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA pic.twitter.com/gqDaXMBl96
— Spreek (@spreekaway) July 10, 2023
According to Spreek’s July 10 report, “The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA [externally owned account].”
An image attached to the post shows Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe. Blockchain data reveals that this transaction called the “anySwapFeeTo” method on the Multichain Router: V4 contract, causing approximately $15,275.90 worth of anyDAI — a derivative version of the Dai (DAI) stablecoin — to be minted on Ethereum and sent to the Multichain Executor, who then burned it and exchanged it for the underlying DAI backing the asset.
In a separate comment, Spreek said the funds are being sent to the following address: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Ethereum blockchain data shows that this address received the redeemed DAI from the Multichain Executor on July 10, about five minutes after the previous transaction.
Data for BNB Smart Chain (BSC) shows that the Multichain Executor also called the anySwapFeeTo function on its network for $208,997 worth of anyUSDC. This resulted in $208,997 worth of the tokens being converted into its underlying Binance-Pegged USDC, which were subsequently sent to this same address. In other BSC transactions, the contract used this process to convert 50.80 anyBTC, worth $39,251.43 at the time, to equivalent Binance-Pegged Bitcoin and send it to this address.
The transactions add up to approximately $263,524.33 worth of tokens sent to this address through the anySwapFeeTo method.
Spreek said this behavior could be part of the normal functioning of the protocol. On the other hand, a different account had engaged in similar behavior the day before, Spreek stated. The other account eventually sold the drained tokens, providing evidence that it was malicious:
“It is unclear whether this is authorized behavior. Previously the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that that similar address was the actions of a malicious actor.”
The on-chain sleuth theorized that the attacker may be using the anySwapFeeTo function to set fees to an arbitrarily large amount, allowing them to drain users’ funds. This function “[a]pparently allows ANY value to be set, so the address is simply choosing the total value of the token held in that anyToken,” Spreek stated.
The Multichain incident has baffled blockchain analysts, as no one has been able to prove whether it resulted from an exploit or is simply the result of large tokenholders moving their funds between networks. The mystery began on July 7, when over $100 million worth of tokens were withdrawn from the Ethereum side of Multichain’s Fantom, Moonriver and Dogechain bridges and sent to wallet addresses with no previous transactions. These withdrawals represented the majority of funds held on each bridge.
The Multichain team declared that the withdrawals were “abnormal” and told users to stop using the protocol. However, the team did not declare what the source of the anomaly was or could be.
On July 8, stablecoin issuers Circle and Tether froze some of the addresses that received funds tied to the strange transactions. On July 11, blockchain analytics firm Chainanalysis said the incident “looks more like a hack or rugpull and less like a migration.”
The Multichain team says their CEO is missing and that they’ve shut down some bridges due to no longer having access to some of the network’s multi-party computation network servers.