QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$36 000 USD
AUGUST 2025
GLOBAL
NONE
DESCRIPTION OF EVENTS
Multicall3 is a smart contract utility that allows users to batch multiple function calls into a single transaction. Originally designed to optimize on-chain data fetching and reduce gas costs, it has become widely adopted in the Ethereum and DeFi ecosystems. Instead of calling several contracts individually, users or developers can bundle those calls into a single aggregate or tryAggregate function call through Multicall3, which executes them and returns the results. This is particularly useful for frontends or analytical tools that need to retrieve large amounts of state data efficiently and atomically.
Multicall3 does not implement any internal access control or call validation, meaning it will blindly execute whatever calldata it is given, as long as it conforms to the expected structure. While this is by design—it’s meant to be a generic utility—it creates a significant security risk if tokens are approved to it. If a user mistakenly approves an ERC-20 token allowance to the Multicall3 contract, an attacker can craft a malicious payload that uses transferFrom() to drain those tokens via a call relayed through Multicall3. Since Multicall3 has the authority (via approve()) to transfer tokens on the user's behalf, it becomes a silent intermediary in the theft.
A user or contract granted token allowance (via approve()) to the Multicall3 contract, which then had permission to spend those tokens on the user's behalf. Multicall3 is a utility contract often used to bundle multiple read or write operations into a single call, but it is not inherently secure for token transfers unless carefully controlled.
If an attacker can trick a user into approving tokens to Multicall3—and then call it in a way that forwards transferFrom() calls to malicious logic—they can drain the tokens from the victim’s wallet or contract. This happens because the Multicall3 contract doesn't restrict how or by whom it’s used; it simply forwards calls based on input data. In this scenario, it was likely exploited as a "proxy executor" by an attacker to invoke token transfers using the previously granted allowance.
The loss total appears to be 41.034748173552867045 BNB, which had a value of roughly $36k at the time of the transaction. These funds have been split between 2 different destinations.
It is unclear whether there is any immediate reaction to the transaction. It does not appear that the entity behind the smart contract is known.
The incident was reported on by TenArmor. It does not appear that any other blockchain security firms issued any reports about this particular transaction.
It is unlikely that any funds will be recovered.
There is likely more to be gleaned from a further analysis of the transaction in question.
A user or contract mistakenly approved token spending rights to the Multicall3 contract, a generic batching utility with no internal access controls, allowing an attacker to exploit that approval and drain approximately 41 BNB (around $36,000) by forwarding malicious transferFrom() calls. Because Multicall3 executes arbitrary calldata without restrictions, the attacker used it as a proxy to execute unauthorized token transfers. The stolen funds were split between two destinations, and while the incident was flagged by TenArmor, no other major security firms have issued reports, and recovery is unlikely due to the anonymous nature of the exploit.
TenArmor - "Another two hacks: The victim contract 0x8d2e was exploited due to missing access control in the uniswapV3SwapCallback function. Someone approved tokens to the Multicall3 contract, resulting in the tokens being drained." - Twitter/X (Aug 21)
Multicall3 GitHub Repository (Aug 21)
Multicall API - Etherscan Docs (Aug 21)
Why Approving Multicall Contracts Is Dangerous - Dedaub (Aug 21)
What is the Multicall contract and why should I care? - Ethereum Stack Exchange (Aug 21)
