A report by on-chain investigator and Twitter user Spreek reveals that someone has been utilizing the Multichain Executor to drain tokens associated with the AnySwap bridge protocol. This discovery follows an outflow of over $100 million from the multichain bridge on July 7, which w as deemed abnormal by the multichain team.
Spreek's report states that the multi-chain executor address has been draining token addresses across multiple chains and transferring them to a new externally owned account (EOA). The attached image shows an Ethereum transaction that invoked the "anySwapFeeTo" method on the Multichain Router: V4 contract, resulting in the transfer of approximately $15,275.90 worth of anyDAI stablecoins. The funds were then burned and swapped for the underlying DAI, with the redeemed DAI being sent to the specified address.
The same pattern was observed on the Binance Smart Chain (BSC), where the multi-chain executor earned $208,997 worth of anyUSDC tokens and converted them to Binance-pegged USDC. These tokens were also sent to the same address. Similar conversions occurred with anyBTC , with 50.80 anyBTC being converted into Binance-pegged Bitcoin and sent to the address.
The transactions sent to the address via the anySwapFeeTo method total approximately $263,524.33 worth of tokens. While this behavior might be part of the protocol's normal functioning, Spreek points out that another account displayed similar actions the day before and ended up selling the depleted tokens, indicating potentially malicious intent.
On-chain investigators speculate that attackers may be utilizing the anySwapFeeTo function to set the fee to a large amount, allowing them to drain users' funds. The function allows any value to be set, enabling the address to choose the total value of tokens held in the anyToken.
The incident has puzzled blockchain analysts as they struggle to determine whether it resulted from an exploit or simply large token holders moving funds between networks. The mystery began with the withdrawal of tokens worth over $100 million from the Ethereum side of Multicha in's bridges, including Fantom, Moonriver, and Dogechain. These withdrawals constituted the majority of funds held on each bridge. While the Multichain team labeled the withdrawals as anomalous and urged users to stop using the protocol, they did not disclose the source or cause of the anomaly.
Stablecoin issuers Circle and Tether took action by freezing some addresses that were receiving funds related to the unusual transactions. Blockchain analysis firm Chainanalysis commented that the incident appeared more like a hack or pull than a migration. Additionally, the Multichain team reported that their CEO is missing and that certain bridges have been shut down due to inaccessibility of the network's MPC web servers.
