AnySwap Releases Detailed Postmortem on Multichain Router V3 Exploit

The platform dropped details about the exploit of its V3 router prototype, though users have been assured that the default bridge is unaffected.

AnySwap V3 Router Prototype Suffers Exploit

After a recent exploit of their V3 router prototype AnySwap has released a comprehensive report about the incident. Following the recent multichain prototype router exploit on July 10th the protocol released a postmortem via Medium, which explained the incident’s description, what transpired, and the solutions provided. 

The postmortem posted on the 12th of July is a follow-up to the protocol’s Tweet on 11th July about the detected exploit. 

An exploit occurs when a smart contract is able to be manipulated in order to steal tokens or manipulate pricing. These exploits are usually the result of an oversight in the contract’s code by developers.

AnySwap Multichain Router V3 Exploit

The AnySwap multichain beta V3 router was launched on June 4th. It was deployed on three of the most prominent networks in the Decentralized Finance (DeFi) ecosystem — Binance Smart Chain (BSC), Fantom, and Polygon, with plans to add more in the future. 

The beta release features a native swap; a non-custodial + MPC explained extensively in its Medium post, and a multichain router that allows users to swap between two chains.

Unfortunately, the unique innovation faced a significant exploit that prompted the protocol to halt the system. 


Although V1/V2 funds were safe, the cross-chain Decentralized Exchange (DEX) announced that a post-mortem would be released to affected users of the new V3 cross-chain liquidity pools. With this in mind, the protocol has released comprehensive details of the incident and its solutions. 

Postmortem Report: AnySwap Drops Statement 

Below is a detailed report of the V3 router exploit according to its Medium article posted on 12th July 2021. 

Details of The Attack 

The attack ensued on the 10th of July, 2021 (8:00 PM UTC) on the AnySwap V3 multichain router prototype.

Details of Exploited Transactions 

Stolen Amount: 1,536,821.7694 USDC

Stolen Amount: 5,509,2227.35372 MIM

Stolen Amount: 749,033.37 USDC

Stolen Amount: 112,640.877101 USDC

Hacker Address

How the Exploit Happened 

Two V3 router transactions with the same R value signature were detected under the V3 Router MPC account on BSC. The attacker hacked into the MPC account and obtained the private key. The AnySwap team reproduced the method used.

The V1/V2 bridges are safe as they have been audited and do not have the same R transactions. 

AnySwap disclosed that a more detailed report about this would be published later. 


In response to the R signature flaw, the AnySwap team has fixed the code to avoid the same error. In essence, the R signatures will no longer be the same. 

The AnySwap router V3 will relaunch in about 48 hours, and users are urged to follow AnySwap’s Twitter account for updates. 

Trail of Bits has been auditing the V1/V2, and they will do the same for the V3 incident, according to AnySwap. 


A total of 2,398,496.02 USDC and 5,509,222.73 MIM were stolen from the protocol, and it will go down in the record books as another significant exploit on BSC. AnySwap has taken actions to compensate its affected users and has promised that liquidity providers will withdraw their assets from the pool once again after liquidity is refilled upon the V3 relaunch. 

Source :

Leave a Reply

Your email address will not be published. Required fields are marked *