Anyswap

Anyswap Multichain Router Hack - July 2021

The July 2021 Anyswap Hack

The attack occurred on Anyswap V3 liquidity pool on July 10, 2021, at 8:00 PM UTC. The protocol suffered an attack, leading to a loss of over $7.9 million in assets.

Root Cause

Two v3 router transactions were detected under the V3 Router MPC account on BSC with the same R value signature, and the hacker deduced the private key to this MPC account in reverse. This was essentially a cryptographic vulnerability in how the elliptic curve signature scheme handled the nonce (or "k" value) in the MPC (Multi-Party Computation) signing process.

Response and Compensation

Anyswap has already put remedial actions in place to provide full compensation. LPs to v3 won't take any losses. Trail of Bits has been auditing v1/v2, and Anyswap informed them of the v3 incident, putting joint efforts to dig into this problem.

This hack is notable as an early example of cross-chain bridge vulnerabilities, which would later become a recurring issue for the platform in subsequent years.

Sources

• https://anyswap.medium.com/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb

• https://curve.substack.com/p/july-12-2021-anyswap-in-a-storm-

• https://medium.com/@0xscope_labs/0xscope-research-multichain-hack-and-its-implications-ec54cb5e6221