$7 800 000 USD

JULY 2021




"Anyswap is a fully decentralized cross chain swap protocol, based on Fusion DCRM technology, with automated pricing and liquidity system. Anyswap is a decentralized application running on the Fusion, Binance Smart Chain, Ethereum and Fantom blockchains. The first application from Anyswap is a DEX (Decentralized Exchange), which is called anyswap.exchange."


"Anyswap protocol allows users to immediately swap from one coin to another with a click of a button. It can be considered as a decentralized exchange, however, it doesn’t have an order book. Therefore, users can swap and immediately get coins at the price of the currency they are swapping to, without going through the hassle of creating orders and waiting for them to be filled."


"Anyswap uses Anyswap Working Nodes (AWN) to ensure the decentralization of Anyswap. These nodes will be elected by the holders of ANY token, and will be responsible for funds custody. Therefore, Anyswap company will have no control over users’ funds." "Anyswap uses Fusion’s DCRM technology as a cross-chain solution. Anyswap users can deposit any coin to the protocol, mint wrapped tokens in a fully decentralized way and swap assets from different blockchains." "Liquidity providers can add or withdraw liquidity into swap pairs. Prices will be automated according to the liquidity provided."


"The new Anyswap multichain prototype V3 router was exploited early on July 10, 2021." "AnySwap lost $7.8M worth of crypto funds as a result of ECDSA signature derivation exploit." "The attack occurred on Anyswap V3 liquidity pool on July 10, 2021, at 8:00 PM UTC."


"Two v3 router transactions were detected under the V3 Router MPC account on BSC, these two transactions have the same R value signature. And hacker deduced the private key to this MPC account in reverse. Anyswap team reproduced this attack method." "Anyswap multichain V3 router was exploited and result in 7.5M$ worth of assets lost. The attacker deduced the private key to the Anyswap V3 Router MPC account based on two transactions that have the same R value signature."


"The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys."


"The key here is that every k value calculated in the algorithm should be based on a different, random number for each signature. If two or more transactions contain a repeated k value, then the private key can be back-calculated."


"This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013."


"Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key."


"The bridges are burning. Anyswap and Chainswap in 24 hours. They say it's fixed, but can you trust them?"


"[O]nly the new V3 cross-chain liquidity pools have been affected." "An exploit was detected in the new anyswap v3 prototype, all bridge funds used in v1/v2 are safe. Remedial action already in place for all exploited funds." "All v1/v2 bridge transactions have been audited, they don’t have the same R transactions. Bridges are safe."


Losses were "2,398,496.02 USDC and 5,509,222.73 MIM in total." "Anyswap has already put remedial actions in place to provide full compensation. Anyswap will compensate. Thus, liquidity providers will be able to withdraw their assets from the pool once again when the liquidity is refilled by Anyswap pending the 48-hour timelock."


"To facilitate future security, Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."


"Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough."


"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server."


"And it requires every signature request to scan every previous one, but really that's the smallest problem here."

Rather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. AnySwap plans to compensate all affected users.


One of the key requirements of an effective multi-sig is simplicity. When additional complexity is added, the opportunity for exploits increases dramatically, and it is no longer possible to evaluate the security setup.


AnySwap plans to compensate affected users, so there are not anticipated to be losses in this case.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.