BNB Token Drain After Granting Multicall3 Contract Approval

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:42, 27 August 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/bnbtokendrainaftergrantingmulticall3contractapproval.php}} {{Unattributed Sources}} thumb|Binance Security ImageA user or contract mistakenly approved token spending rights to the Multicall3 contract, a generic batching utility with no internal access controls, allowing an attacker to exploit that approval and drain approximately 41 BNB (around $36,000) by forwardi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Binance Security Image

A user or contract mistakenly approved token spending rights to the Multicall3 contract, a generic batching utility with no internal access controls, allowing an attacker to exploit that approval and drain approximately 41 BNB (around $36,000) by forwarding malicious transferFrom() calls. Because Multicall3 executes arbitrary calldata without restrictions, the attacker used it as a proxy to execute unauthorized token transfers. The stolen funds were split between two destinations, and while the incident was flagged by TenArmor, no other major security firms have issued reports, and recovery is unlikely due to the anonymous nature of the exploit.[1][2][3][4][5]

About Multicall3

Multicall3 is a smart contract utility that allows users to batch multiple function calls into a single transaction. Originally designed to optimize on-chain data fetching and reduce gas costs, it has become widely adopted in the Ethereum and DeFi ecosystems. Instead of calling several contracts individually, users or developers can bundle those calls into a single aggregate or tryAggregate function call through Multicall3, which executes them and returns the results. This is particularly useful for frontends or analytical tools that need to retrieve large amounts of state data efficiently and atomically.

The Reality

Multicall3 does not implement any internal access control or call validation, meaning it will blindly execute whatever calldata it is given, as long as it conforms to the expected structure. While this is by design—it’s meant to be a generic utility—it creates a significant security risk if tokens are approved to it. If a user mistakenly approves an ERC-20 token allowance to the Multicall3 contract, an attacker can craft a malicious payload that uses transferFrom() to drain those tokens via a call relayed through Multicall3. Since Multicall3 has the authority (via approve()) to transfer tokens on the user's behalf, it becomes a silent intermediary in the theft.

What Happened

An attacker exploited a token approval to the unsecured Multicall3 contract to drain approximately 41 BNB (~$36,000) by relaying malicious transferFrom() calls.

Key Event Timeline - BNB Token Drain After Granting Multicall3 Contract Approval
Date Event Description
August 20th, 2025 8:29:31 AM MDT Transaction On BSC The malicious transaction is accepted and executed by the Binance Smart Chain.
August 20th, 2025 8:26:00 PM MDT TenArmor Posts Tweet TenArmor posts a tweet which features details of the attack, along with another attack which occurred recently.

Technical Details

A user or contract granted token allowance (via approve()) to the Multicall3 contract, which then had permission to spend those tokens on the user's behalf. Multicall3 is a utility contract often used to bundle multiple read or write operations into a single call, but it is not inherently secure for token transfers unless carefully controlled.

If an attacker can trick a user into approving tokens to Multicall3—and then call it in a way that forwards transferFrom() calls to malicious logic—they can drain the tokens from the victim’s wallet or contract. This happens because the Multicall3 contract doesn't restrict how or by whom it’s used; it simply forwards calls based on input data. In this scenario, it was likely exploited as a "proxy executor" by an attacker to invoke token transfers using the previously granted allowance.

Total Amount Lost

The loss total appears to be 41.034748173552867045 BNB, which had a value of roughly $36k at the time of the transaction. These funds have been split between 2 different destinations.

The total amount lost has been estimated at $36,000 USD.

Immediate Reactions

It is unclear whether there is any immediate reaction to the transaction. It does not appear that the entity behind the smart contract is known.

Ultimate Outcome

The incident was reported on by TenArmor. It does not appear that any other blockchain security firms issued any reports about this particular transaction.

Total Amount Recovered

It is unlikely that any funds will be recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There is likely more to be gleaned from a further analysis of the transaction in question.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Another two hacks: The victim contract 0x8d2e was exploited due to missing access control in the uniswapV3SwapCallback function. Someone approved tokens to the Multicall3 contract, resulting in the tokens being drained." - Twitter/X (Accessed Aug 21, 2025)
  2. Multicall3 GitHub Repository (Accessed Aug 21, 2025)
  3. Multicall API - Etherscan Docs (Accessed Aug 21, 2025)
  4. Why Approving Multicall Contracts Is Dangerous - Dedaub (Accessed Aug 21, 2025)
  5. What is the Multicall contract and why should I care? - Ethereum Stack Exchange (Accessed Aug 21, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=BNB_Token_Drain_After_Granting_Multicall3_Contract_Approval&oldid=6910"