Investigation Report of Multi-chain Bridge Incident
Translation: Chinese | Hindi | Polish | French | Arabic | Vietnamese
A few hours ago, we were made aware of a critical issue with the multichain swap that may affect ERC20 NUM users. Our dev team took quick action and worked with our bridge/swap partners to figure out the impact and the root cause.
Incident
The attack happened on one wallet which granted unlimited permissions to Multichain. There was an issue in Multichain Router v4 2.anySwapOutUnderlyingWithPermit() that hit bridge users back in January which caused a loss of 1.4M USD. More details can be found in the article and the explanation of the issue.
Unfortunately, the same issue was used to attach NUM holders who were granted permissions before. There was one user who was affected and lost a total of 557,754.45000198 NUM, then swapped all the NUM tokens for ~13 Ether.
Actions
- We immediately talked to our official bridge and swap partners, XY Finance, Chainport, and ApeSwap, and all have confirmed that their contracts are safe to use.
- As Multichain is not yet an official partner of NUM yet, we are trying to contact Multichain and ask them to upgrade the Multichain contract to v6 for NUM. (Nov. 30 New Update: We just connected with Multichain. The NUM contract on Multichain has been upgraded.)
- Besides, as the abuse of Multichain router v4 connects to the fallback function in the ERC20 NUM contract, there will be an upgrade of the NUM token contract further prevent future similar attacks. The upgrade is scheduled in the next 10 days.
Suggestions to NUM holders
- Use the Swap/Exchange/Bridge recommended officially by Official Swap/Bridge partners such as XY Finance. We are still waiting for the response from ApeSwap and Chainport and will report the status shortly.
- Avoid granting an unlimited amount of any token to dApps, you can check your permissions using revoke.cash or similar services.
The takeaway from the incident
NUM token contract has passed the auditing from Certik and is watched by their Skynet service. We also monitor the issues/bugs that happen on other projects and collaborate with our partners closely to avoid potential attacks.
However, since Web3 is an open space. The beauty of Web3 is anyone can build any service for NUM, but this also adds unexpected risks to NUM and any services of Web3.
Fortunately, we are aware of the issue and took action soon so that the loss is under control. We will buy back the same amount of NUM in Uniswap and airdrop to the affected wallets before this announcement is made.
(Update: Team has bought back the same amount of NUM in Uniswap and airdrop to the affected wallet on Nov. 30, check the bought back txid, and airdrop txid)
In the case today, we want to thank @peckshield, @spreekaway, @BlockSecTeam, Slowmist, and many others who provide first-hand observations and analysis on Twitter. We also want to thank @ThunderCoreLab and @xyfinance, who provides immediate technical support based on their rich experience in implementing Multichain routers.
With the power of community, we believe NUM and the whole Web3 industry will continuously grow and overcome all the roadblocks on the way.
About Numbers Protocol
Numbers is building a decentralized photo network for creating community, value, and trust in digital media. Its Numbers Protocol redefines digital visual media as assets and is the backbone of a suite of tools for registering and retrieving images and videos in the Numbers network.
These include:
- Capture App: The first blockchain camera in the world that users can easily register photos and use Web3.0 applications.
- Numbers API: Developers and enterprises can implement Numbers API to register photos and access their Web3.0 addresses and certificates.
- Certificates: content authenticity certificates with on-chain provenance
- CaptureClub: Native NFT marketplace allows photo generators to sell and stake their creations.
- Numbers Search Engine: The first Web3.0 NFT search engine that helps users verify the history of NFTs and prevent potential NFT fraud.
Numbers champion the purity of digital media and enable people to think more critically about the interactions between our images and the world around us. The goal of Numbers is to tokenize authentic photos (including images and videos) to create a decentralized photo network in Web3.0.
