The Anyswap Router (now called Mulitchain) was exploited due to a faulty assumption in anySwapOutUnderlyingWithPermit
.
When we expect an external function call to throw, if the contract being called does not implement the called function but has a fallback function, the call returns silently.
This allowed hackers to walk away with over 1700 ETH by hackers such as this one. Various white hats also returned almost 1000 ETH. Details follow:
[[ Details Temporarily Redacted since some addresses are still vulnerable ]]