A person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol
According to a report from on-chain sleuth and Twitter user Spreek, the Multichain Executor is being used to drain tokens linked to the AnySwap bridging protocol. This follows the abnormal outflows of over $100 million from Multichain bridges on July 7, as reported by the Multichain team.
Details from Spreek’s Report
In the report dated July 10, Spreek mentioned, “The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA [externally owned account].” An attached image displayed Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe, which invoked the “anySwapFeeTo” method on the Multichain Router: V4 contract.
The transaction involved approximately $15,275.90 worth of anyDAI (a derivative version of the Dai stablecoin) being minted on Ethereum and sent to the Multichain Executor. The tokens were subsequently burned and exchanged for the underlying DAI.
According to Spreek’s comment, the funds were sent to the address 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Ethereum blockchain data confirmed that this address received the redeemed DAI from the Multichain Executor around five minutes after the previous transaction.
Additionally, data from BNB Smart Chain (BSC) revealed that the Multichain Executor executed the “anySwapFeeTo” function on its network, resulting in the conversion of $208,997 worth of anyUSDC tokens into Binance-Pegged USDC. These converted tokens were then sent to the same address. Furthermore, 50.80 anyBTC tokens, valued at $39,251.43 at the time, were converted into Binance-Pegged Bitcoin using a similar process.
Overall, approximately $263,524.33 worth of tokens were sent to this address via the “anySwapFeeTo” method.
Possible Explanations and Concerns
Spreek raised the question of whether this behavior is authorized or malicious. Notably, a different account had engaged in similar activities the day before, eventually selling the drained tokens. This suggests malicious intent.
Spreek theorized that the attacker may be leveraging the “anySwapFeeTo” function to set arbitrarily large fees, enabling them to drain users’ funds. According to Spreek, this function allows setting of any value, allowing the address to select the total value of the token held in anyToken.
The Multichain incident has puzzled blockchain analysts, who are unable to determine whether it resulted from an exploit or simply tokenholders moving funds between networks. The mystery began on July 7 when over $100 million worth of tokens were withdrawn from Multichain’s Fantom, Moonriver, and Dogechain bridges, and sent to wallet addresses with no prior transactions. These withdrawals constituted the majority of funds on each bridge.
The Multichain team labeled these withdrawals as “abnormal” and advised users to stop using the protocol. However, they have not disclosed the source of the anomaly.
Recent Developments
On July 8, stablecoin issuers Circle and Tether froze some addresses associated with the unusual transactions. On July 11, blockchain analytics firm Chainanalysis suggested that the incident appears to be more of a hack or rugpull rather than a migration.
Furthermore, the Multichain team reported that their CEO is missing and that certain bridges have been shut down due to the lack of access to some of the network’s multi-party computation network servers.