A critical security vulnerability has been identified within the MultiChain protocol, a leading cross-chain router previously known as Anyswap. The issue specifically affects six widely used wrapped and native assets across multiple blockchains. While the development team has addressed the flaw, users who previously granted token approvals must take immediate action to secure their holdings.
This incident underscores the broader security challenges inherent in cross-chain interoperability and highlights the importance of proactive asset management.
Understanding the MultiChain Vulnerability
MultiChain operates as a cross-chain router protocol (CRP), enabling seamless asset transfers between numerous blockchain networks, including Ethereum (ETH), Binance Smart Chain (BSC), and Avalanche. The platform, which rebranded from Anyswap in late 2021, has grown significantly, supporting over 1,300 tokens across ten blockchains with a total value locked (TVL) exceeding $8 billion.
Security researchers from Dedaub discovered a vulnerability impacting the approvals for six specific tokens:
- Wrapped Ethereum (WETH)
- PERI Finance (PERI)
- Mars Token (OMT)
- Wrapped Binance Coin (WBNB)
- Polygon (MATIC)
- Avalanche (AVAX)
Although the MultiChain team has patched the vulnerability, the potential for exploit remains for any user who has previously authorized these tokens on the platform. All users are strongly urged to revoke these approvals to eliminate any risk to their assets.
The team has confirmed that all assets within the V2 Bridge and V3 Router are currently secure and that cross-chain transactions can proceed safely. Only users who have approved the six listed tokens need to take action.
Step-by-Step Guide to Revoking Token Approvals
If you have interacted with any of the affected tokens on MultiChain, follow these steps to revoke your approvals and protect your funds.
1. Access the Approval Portal
Navigate to the official MultiChain approval revocation page. You will need to connect your Web3 wallet, such as MetaMask.
2. Identify Required Actions
The interface will display options based on your past approval history and the network you are connected to. For example, if you approved WBNB on BSC, you will need to be on the BSC network to see the revocation option for it.
3. Switch Networks If Necessary
If the token you need to revoke is on a different network (e.g., Avalanche for AVAX), use your wallet to switch to the correct network. The portal provides "Switch to BSC" or "Switch to Avalanche" buttons for convenience.
4. Execute the Revocation
Once on the correct network, click the "Revoke" button next to the relevant token. Your wallet will prompt you to confirm the transaction, which will require paying a small network gas fee.
5. Confirm the Action
After a few seconds, a confirmation message like "Approve BNB" will appear, indicating the revocation was successful. To verify, refresh the page. A message stating "No actions needed" confirms the process is complete.
👉 Secure your assets with advanced wallet management tools
The Persistent Security Challenges of Cross-Chain Technology
This is not MultiChain's first major security incident. In July 2021, while operating under the Anyswap brand, the protocol suffered a hack that exploited a V3 router vulnerability, leading to the loss of over $3 million in USDC and MIM tokens.
These events highlight systemic concerns within the cross-chain ecosystem. Ethereum co-founder Vitalik Buterin has previously expressed skepticism about cross-chain architectures, arguing for a multi-chain future instead. He points out that fundamental security models and consensus mechanisms cannot be perfectly synchronized across independent blockchains. This inherent weakness means that even a secure bridge can become a single point of failure. If one blockchain in a interconnected system is compromised, the damage can propagate, as bridges often rely on data from one chain rather than the consensus of another.
The industry has witnessed other close calls. In October 2021, the Polygon network discovered a critical bug in its Plasma Bridge that potentially put $850 million at risk. The disaster was averted thanks to a white-hat hacker who reported the flaw through Immunefi, a smart contract bug bounty platform, and received a record $2 million reward for their efforts.
Frequently Asked Questions (FAQ)
Q: What is a token approval, and why is revoking it important?
A: A token approval is a permission you grant a smart contract, allowing it to spend or move a specific amount of your tokens. Revoking it removes that permission, protecting your assets if the contract has a vulnerability or becomes malicious.
Q: Do I need to revoke approvals if I haven't used MultiChain recently?
A: Yes. If you have ever approved any of the six listed tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) on MultiChain, you should revoke that approval, regardless of how long ago it was.
Q: Is it safe to continue using the MultiChain protocol?
A: The team states that the vulnerability has been patched and that current operations are secure. However, this event serves as a reminder to always exercise caution and only grant token approvals to protocols you trust implicitly.
Q: Will revoking approvals affect my ability to use MultiChain in the future?
A: No. Revoking an approval only removes existing permissions. If you wish to use the protocol later, you will simply need to grant a new approval for any future transactions, which is a standard process.
Q: What are the gas fees for revoking an approval?
A: Revoking an approval requires a blockchain transaction, so you will need to pay a small gas fee on the respective network (e.g., BSC or Avalanche) to complete the process.
Q: How can I stay informed about future security issues?
A: Always follow official announcements from the protocols you use. Additionally, following reputable security firms and crypto news outlets can provide early warnings about potential vulnerabilities across the ecosystem.