Multichain Event Timeline Overview: 125 million assets mysteriously flowed out, cross-chain bridge has been suspended

Author: Wu Says Blockchain

On July 7, 2023, approximately $125 million in multi-chain assets from the cross-chain protocol Multichain flowed out abnormally to multiple wallets, including $122 million in assets flowing out from Multichain: Fantom Bridge (57.8m USDC, 1.024k WBTC, 7.214k WETH, 4.178m DAI, 491.657k LINK, 910.654k UNIDX, 1.493m USDT, 9.674m WOO, 1.297m ICE, 1.362m CRV, 134.48 TFI, and 502.4k TUSD); $6.835 million in assets flowing out from Multichain: Moonriver Bridge (4.83m USDC, 1.042m USDT, 780k DAI, and 6.122 WBTC); and $666.47k USDC flowing out from Multichain: Dogechain Bridge. Currently, Multichain asset bridge activities have been suspended, with the last transaction recorded at 06:56 UTC+8 on July 7.

According to the deExplorer browser, some users are exchanging assets on the Fantom chain for assets on other chains at a discount through DLN Trade. Based on the latest transactions, 1 USDC on Fantom can be exchanged for approximately 0.9 USDC on BSC, 0.88 USDT on Polygon, etc., with a discount of around 10%.

Multichain's official Twitter stated that the locked assets on the Multichain MPC address had moved abnormally to unknown wallets, and the team is uncertain about what happened and is currently investigating; they advised all users to suspend the use of Multichain services and revoke all contract authorizations related to Multichain.

Loki_Zeng, a researcher at New Fire Technology, analyzed that the abnormal outflow of funds from Multichain has the following characteristics: the duration of asset transfers is very long, a small test of 2 USDC was conducted before the transfer, each type of asset was transferred to independent wallets, and there were no further actions (such as transferring to exchanges, swapping, or mixing coins), and the receiving wallets are completely clean.

Based on these characteristics, it can be inferred that: 1) The transferor had ample time, and considering the technical characteristics of MPC, the transferor likely gained control over the threshold of private key shares in some way. 2) The "attack method" is very simple, just a pure transfer operation without contracts, and there was testing involved, suggesting that the attacker is likely not a hacker. 3) The transferor did not take further actions or liquidate the assets, indicating that the operator may not have absolute decision-making power.

For more updates, please follow the official website link or Wu Says Twitter/Telegram channel:

https://www.wu-talk.com/index.php?m=content\&c=index\&a=show\&catid=46\&id=15885

Multichain Historical Events

On July 11, 2021, the then-renamed AnySwap V3 was attacked, resulting in a total asset loss of 2,398,496.02 USDC and 5,509,222.73 MIM. The official analysis indicated that the attack was due to two transactions signed by the same account on the BSC chain. If the transactions signed by the same account had the same rsv signature r value, the hacker could reverse-engineer the account's private key. The AnySwap team reproduced the hacker's method and stated that they would provide full compensation.

On December 21, 2021, the renamed Multichain announced the completion of a $60 million financing round, led by Binance Labs, with participation from Sequoia China, IDG Capital, Three Arrows Capital, DeFiance Capital, Circle Ventures, Tron Foundation, Hypersphere Ventures, Primitive Ventures, Magic Ventures, and HashKey.

On December 23, 2021, shortly after completing a massive financing round, Multichain faced a dispute over equity. Co-founder and CEO Zhao Jun claimed to own 100% of the foundation's equity, while the FUSION Foundation claimed that Qian Dejun owned 40% equity. Qian Dejun had previously participated in founding projects such as Quantum Chain, VeChain, and FUSION.

On January 18, 2022, Multichain discovered a significant vulnerability affecting six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) and stated that the vulnerability had been successfully fixed, ensuring that all users' assets were safe and that cross-chain transactions would not be affected. However, security firms later found that the vulnerability had been exploited by hackers, resulting in asset theft, prompting the community to urge users to revoke authorizations promptly. This security incident caused approximately $3 million in asset losses.

On January 13, 2023, Multichain launched its next-generation technology product zkRouter and released the zkRouter white paper. zkRouter is a trustless, universal cross-chain infrastructure that offers advantages such as trustless dependency, on-chain light computation, universality, low latency, and no asset collateral. As Multichain's latest solution, zkRouter utilizes ZKP (Zero Knowledge Proof) to connect multiple blockchain networks and achieve seamless interoperability.

On March 15, 2023, Multichain announced that its total transaction volume had surpassed $10 billion. The total number of cross-chain users exceeded 830,000, with 5.04 million cross-chain transactions and an average single cross-chain amount of around $20,000. Multichain is currently connected to 83 public chains, supporting over 3,400 types of assets for cross-chain transactions, with cross-chain liquidity exceeding $1.8 billion.

On May 24, 2023, multiple users reported abnormal delays in the arrival of cross-chain funds on Multichain. Multichain initially responded on Discord, stating, "It is due to the backend node upgrade taking longer than expected, and all affected transactions will arrive after the upgrade is completed." Later, they stated, "Some cross-chain routes are unavailable due to force majeure, and the recovery time is unknown. After service recovery, pending transactions will be automatically credited." Meanwhile, Multichain co-founder Alfred Xu stated in the Telegram community regarding the founder's arrest by the police, "The team is working normally." On May 25, Fusion Foundation founder Qian Dejun stated that he could not contact Multichain founder Zhao Jun, "Let's see if we can provide technical or other assistance; the most important thing is the safety of user assets and that everyone is okay."

Subsequently, various parties affected by Multichain took measures.

On May 25, Binance announced that while waiting for a clear explanation from the Multichain team, it would suspend deposits for certain bridged token networks, such as POLS-BSC, ACH-BSC, BIFI-FTM, etc.; on the same day, Andre Cronje (AC) stated that the Fantom Foundation would stop providing liquidity for the MULTI token on SushiSwap; on the 27th, due to concerns about the stability of Multichain and Fantom's main USDC asset anyUSDC, the LayerZero cross-chain bridge protocol Stargate proposed to disable the Fantom Pool and cross-chain path, setting the release of STG in the Fantom Pool to 0, disconnecting the Fantom Pool from other liquidity pools, removing and unlocking anyUSDC POL through Multichain, then depositing the POL into the Ethereum USDC Pool and whitelisting existing LPs.

On June 1, 2023, Multichain officially tweeted that, due to unforeseen circumstances, multiple issues had arisen with the Multichain protocol over the past two days. The team had done everything possible to maintain the operation of the protocol, but they were currently unable to contact CEO Zhao Jun and obtain the necessary server access for maintenance. This afternoon, the scanning node network of Router5 encountered issues, affecting the normal cross-chain services of some chains. Moreover, this problem exceeded the current authority and capability of the team. To protect the interests of users, they decided to suspend the corresponding cross-chain services on the affected chains in the UI.

Last week, a similar issue occurred on Router2. They thanked users for their understanding and requested partners to stop directly calling the Multichain protocol smart contracts for cross-chain operations on the affected chains. All affected chains are: Kekchain, PublicMint, Dyno Chain, Red Light Chain, Dexit, Ekta, HPB, ONUS, Omax, Findora, Planq.