JUL 7, 2023
Timeline of Multichain events: $125 million in assets mysteriously drained, cross-chain bridge suspended
by Colin Wu, WuBlockchain
On July 7, 2023, around $125 million of multi-chain assets under the cross-chain protocol Multichain anomalously drained into multiple wallets, including $122 million of assets from Multichain: Fantom Bridge (57.8m USDC, 1.024k WBTC, 7.214k WETH, 4.178m DAI, 491.657k LINK, 910.654k UNIDX, 1.493m USDT, 9.674m WOO, 1.297m ICE, 1.362m CRV, 134.48 TFI, and 502.4k TUSD); $6.835 million from Multichain: Moonriver Bridge (4.83m USDC, 1.042m USDT, 780k DAI, and 6.122 WBTC); and 666.47k USDC from Multichain: Dogechain Bridge. The activity of Multichain's asset bridge has been suspended for now, with the last transaction taking place at 06:56 UTC+8 on July 7.
According to the deExplorer browser, some users are swapping assets on the Fantom chain for assets on other chains via DLN Trade at a discount. Based on the latest transactions, 1 USDC on Fantom can be exchanged for around 0.9 USDC on BSC, 0.88 USDT on Polygon, etc., with a discount of about 10%.
Multichain's official Twitter responded by stating that the locked assets on the Multichain MPC address have been anomalously moved to an unknown wallet. The team is uncertain about what happened and is investigating. It is recommended that all users suspend the use of Multichain services and revoke all authorizations related to Multichain contracts.
Analyst @Loki_Zeng believes that the anomalous outflow of funds from Multichain has the following characteristics: the asset transfer lasted a long time, a small test of 2USDC was conducted before the transfer, each type of asset was transferred to an individual wallet with no further action (such as transferring to an exchange, swapping, or mixing), and the receiving wallets were completely clean.
Based on these characteristics, it can be inferred that: 1) the transferrer had ample time and considering the technical characteristics of MPC, it's likely that the transferrer somehow completely gained control over the private key shards above the threshold; 2) the "attack method" was very simple, just ordinary transfer operations, without any contracts, and even included a test, suggesting that the attacker is probably not a hacker; 3) the transferrer didn't carry out further disposals or cashing out, indicating that the operator may not have absolute decision-making power.
For more updates, please follow the official website link or the Twitter/Telegram channel of WuBlockchain：https://twitter.com/WuBlockchain
Multichain Historical Events
July 11, 2021, before the renaming, AnySwap V3 was attacked and lost a total of 2,398,496.02 USDC and 5,509,222.73 MIM. The official analysis stated that the attack occurred because two transactions from the same account signature appeared on the BSC chain. If the transactions from the same account signature had the same r-value in the rsv signature, a hacker could reverse-engineer the account's private key. The AnySwap team reproduced the hacker's method and promised full compensation.
On December 21, 2021, Multichain, after the renaming, announced the completion of a $60 million financing round. The round was led by Binance Labs and included participation from Sequoia China, IDG Capital, Three Arrows Capital, DeFiance Capital, Circle Ventures, Tron Foundation, Hypersphere Ventures, Primitive Ventures, Magic Ventures, and HashKey.
On December 23, 2021, Multichain, having just completed a major financing round, was embroiled in a dispute over equity. Co-founder and CEO Zhao Jun claimed that he owned 100% of the foundation's equity, but the FUSION Foundation claimed that Qian Dejun owned 40% of the equity. Qian Dejun had participated in the establishment of Quantum Chain, VeChain, and FUSION, among other projects.
On January 18, 2022, Multichain discovered a significant vulnerability affecting six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX). The team stated that the vulnerability had been successfully repaired, all users' assets were secure, and cross-chain transactions would not be affected. However, a security firm later discovered that the vulnerability had been exploited by hackers and coins had been stolen. The community urged users to revoke authorizations as soon as possible. This security incident resulted in approximately $3 million in asset losses.
On January 13, 2023, Multichain launched its next-generation technology product, zkRouter, and published the zkRouter white paper. zkRouter is a trustless, universal cross-chain infrastructure that has the advantages of no trust dependencies, light on-chain computation, universality, low latency, and no asset collateral. As Multichain's latest solution, zkRouter uses ZKP (Zero Knowledge Proof) to connect multiple blockchain networks and achieve seamless interoperability.
On March 15, 2023, Multichain announced that its total transaction volume had exceeded $100 billion. The total number of cross-chain users exceeded 830,000, the number of cross-chain transactions was 5.04 million, the average single cross-chain fund was about $20,000, and Multichain had connected 83 public chains, supported more than 3,400 cross-chain assets, and the liquidity of cross-chain exceeded $1.8 billion.
On May 24, 2023, several users reported abnormal delays in cross-chain funds arriving on Multichain. Multichain initially responded on Discord saying, "This is due to the backend node upgrade taking longer than expected, all affected transactions will arrive after the upgrade is complete." Later they added, "Some cross-chain routes are unusable due to force majeure, and the service restoration time is unknown. After the service is restored, pending transactions will be automatically credited." At the same time, Alfred Xu, co-founder of Multichain, addressed the arrest of the founder in the Telegram community by saying, "The team is working as normal." On May 25, Qian Dejun, the founder of the Fusion Foundation, said that he was currently unable to contact Multichain founder Zhaojun, "Let's see if we can provide technical or other help, the most important thing is the safety of user assets and that no one is hurt."
In the aftermath, various parties affected by Multichain took measures.
On May 25, 2023, Binance announced that during the wait for a clear statement from the Multichain team, they would suspend deposits on some bridged token networks, such as POLS-BSC, ACH-BSC, BIFI-FTM, etc. On the same day, Andre Cronje (AC) stated that the Fantom Foundation stopped providing liquidity for the MULTI token on SushiSwap. On the 27th, due to concerns about the stability of Multichain and Fantom's main USDC asset anyUSDC, the LayerZero cross-chain bridge protocol Stargate proposed to disable the Fantom Pool and cross-chain paths, set the STG release in the Fantom Pool to 0, disconnect the Fantom Pool from other liquidity pools, remove and unlock anyUSDC POL through Multichain, then deposit POL into the Ethereum USDC Pool, and whitelist the existing LPs.
On June 1, 2023, Multichain officially tweeted that over the past two days, due to unforeseeable circumstances, several issues had arisen with the Multichain protocol. The team had done everything possible to maintain the protocol's operation, but they were currently unable to contact CEO Zhaojun and obtain the necessary server access permissions for maintenance. That afternoon, the Router5 scanning node network encountered problems, affecting the normal cross-chain services of some chains. Moreover, this problem was beyond the current permissions and capabilities of the team. To protect the interests of the majority of users, they decided to temporarily suspend the corresponding cross-chain services for the affected chains on the UI. Last week, the same problem occurred on Router2. They thanked users for their understanding and asked their partners to stop directly calling Multichain protocol smart contracts for cross-chain operations on the affected chains. All affected chains were: Kekchain, PublicMint, Dyno Chain, Red Light Chain, Dexit, Ekta, HPB, ONUS, Omax, Findora, Planq.