After an exploit drained Multichain users of more than $3 million worth of cryptocurrency this week, a white-hat hacker has restored 322 Ethereum (about $900,000). However, up to $1.5 million in Ethereum is still missing. Multichain is a cross-chain router technology that connects users across thirty blockchains, including Bitcoin, Ethereum, and Terra.
Wrapped ETH (WETH), Peri Finance Token (PERI), Official Mars Token (OMT), Wrapped BNB (WBNB), Polygon (MATIC), and Avalanche appear to have been affected by this week’s critical vulnerability (AVAX).
Multichain said on Twitter on Monday that the issue had been “reported and addressed.”
More attackers came in after the disclosure and were still able to use the same vulnerability to exploit the protocol, with one hacker obtaining as much as $1.43 million.
Critical vulnerabilities are not only exploited by criminals for self-interested reasons in the crypto underworld; they also attract the attention of blockchain vigilantes known as “white hat” hackers, who exploit vulnerabilities in order to disclose them and collect a bounty.
A white hat was one of the attackers who targeted Multichain after Monday’s announcement.
The hacker sent an affected user 322 ETH (about $900,000) and kept 62 ETH ($173k) as a bounty.
The hacker also gave Multichain 52 ETH ($139,000) and kept about 12 ETH as a bounty.
However, 527 ETH, or little under $1.5 million, remains unaccounted for.
Multichain CEO and co-founder Zhaojun took to Twitter on Thursday to validate ZenGo wallet co-founder Tal Be’ery’s theory that the vulnerability was due to Multichain’s bridge contracts requiring a stop mechanism to prevent future fund losses.