Starting from the arrest of the cross-chain bridge Multichain: What legal risks should be considered when doing cross-chain projects?
The Chinese cross-chain bridge project Multichain has seen its CEO and others taken away by Chinese police for criminal investigations, leading to a plummet in token value overnight. Is it really impossible to start a business in China with cross-chain technology aimed at solving value interoperability between different blockchains?Authors: Liu Honglin, Jin Jianzhi
Source: PANews
The Chinese cross-chain bridge project Multichain has been implicated in criminal activities, leading to the detention of its CEO and others by Chinese police, resulting in a dramatic drop in token value overnight. Is it really impossible to start a business in China with cross-chain technology, which aims to solve value interoperability between different blockchains?
Founders Detained, Project Forced to Halt Operations
On May 21, 2023, Zhao Jun, the CEO of the well-known cross-chain project Multichain, was taken away by domestic police from his home, and the global Multichain team lost contact with him. The team reached out to MPC node operators and learned that their operational access keys for the MPC node servers had been revoked.
Subsequently, the special investigation team contacted Zhao Jun's family and learned that all of Zhao Jun's computers, mobile phones, hardware wallets, and mnemonic phrases had been confiscated. Since the project's inception, all operational funds and investor investments had been controlled by Zhao Jun.
On June 4, Zhao Jun's family successfully logged into the home computer on the cloud server platform and only allowed Multichain team engineers physical access to the home computer to fix technical issues with Router2 and Router5.
On July 9, Zhao Jun's sister transferred the remaining user assets from the router pool and subsequently notified the team and several project parties. These funds were transferred to an EOA address controlled by Zhao Jun's sister.
On July 13, based on information provided by Zhao Jun's family, the police took Zhao Jun's sister away.
According to SlowMist monitoring, since July 7, a total of $265 million has flowed out of Multichain, distributed across Ethereum, BNB Chain, Polygon, Avalanche, Arbitrum, Optimism, Fantom, Cronos, and Moonbeam chains. Among these, $65.82 million has been frozen by Circle and Tether, and 1,296,990.99 ICE (approximately $1.62 million) has been burned by the token issuer.
According to public information, Multichain was established in July 2020 and raised $60 million in funding in December 2021. Investment institutions include Binance Labs, Sequoia Capital, IDG Capital, Three Arrows Capital, DeFiance Capital, TRON Foundation, Hashkey Capital, Circle, Hypersphere Ventures, Primitive Ventures, and Magic Ventures.
What is Blockchain Cross-Chain?
The rapid development of public chains is closely related to the increasing popularity and innovation of blockchain technology. According to exaggerated data, there may be hundreds of existing public chains, each with different communication protocols, consensus rules, and governance models. Well-known public chains include Bitcoin, Ethereum, Solana, and Binance Smart Chain (BSC), among many other public chain projects based on different consensus mechanisms and technical architectures. Each public chain has its unique characteristics, advantages, and application scenarios. Therefore, interoperability between different blockchains, allowing users to transfer assets and information across chains, has become an inevitable product of cross-chain technology.
Cross-chain technology is a key technology in the blockchain industry, aimed at solving the problems of data flow, asset transfer, and value interoperability between different blockchains. The underlying technology of cross-chain is relatively complex. Non-technical individuals can understand cross-chain technology with a simple example. In most cases, when a user wants to transfer assets from Chain A to Chain B, they need to first deposit the assets into a designated address for cross-chain technology on Chain A. Next, when the bridge's detector receives this information, it will mint an equivalent amount of wrapped assets on Chain B or convert the cross-chain assets into native assets of the target chain by establishing a liquidity pool on the target chain, and finally transfer the funds to the user's account on Chain B.
The most concerning issue regarding cross-chain technology is security. For cross-chain entrepreneurs, ensuring the safety of the project and personal safety is paramount.
Legal Risks of Project Attacks
Security incidents in the field of cross-chain technology are not uncommon. On July 3, 2021, the contract of the Chainswap cross-chain project was attacked, resulting in the loss of user tokens from wallets interacting with ChainSwap, with total losses amounting to approximately $800,000. On July 12, 2021, the newly launched V3 cross-chain liquidity pool of Anyswap was also attacked, with total losses exceeding $7.87 million. In August 2021, Poly Network announced that its mainnet had been hacked, with user assets totaling $610 million transferred across BSC, Ethereum, and Polygon, becoming the largest DeFi security incident to date.
Due to the inherently decentralized nature of blockchain technology, determining the responsible party can be very difficult when defects or vulnerabilities in smart contracts lead to losses. Whether the cross-chain project party should bear relevant responsibilities in the event of user asset loss is a complex issue.
In this regard, there are two things that project parties can do in advance:
Smart Contract Security Audit: Ensure that smart contracts undergo security audits to technically prevent vulnerabilities and attacks. Most cross-chain technologies directly deal with finance, concerning user funds, so the design and implementation of cross-chain technology protocols need to consider security from the very beginning, and it cannot be overly rigorous. Additionally, it is best for the protocol to be audited by at least two security audit companies to reduce security risks. Avoid introducing unnecessary administrator identities while limiting the permissions of protocol deployers and administrators to prevent the entire protocol's funds from falling into security risks due to a single account leak.
Draft Clear Contracts: Ensure that user agreements and contract terms between the project party and partners, investors, and users are clear and explicit, specifying the responsibilities and obligations of all parties in the event of a security incident, as well as the compensation mechanism in case of user asset loss.
Legal Risks of Token Issuance
The vast majority of cross-chain projects will have their own project tokens. Cross-chain entrepreneurs must understand that there are significant differences in the legal frameworks for blockchain and cryptocurrencies across different countries and regions. For example, the U.S. Securities and Exchange Commission (SEC) may classify certain tokens as securities, while the European Union may have entirely different classifications. This means that various legal requirements and regulatory frameworks must be considered when designing and implementing cross-chain solutions.
Issuing tokens is an even more sensitive issue in China. On September 4, 2017, the central bank and seven ministries issued a notice on preventing risks from token issuance financing, clearly stating that token issuance financing is essentially an unauthorized illegal public financing activity, suspected of illegal issuance of token vouchers, illegal issuance of securities, as well as illegal fundraising, financial fraud, and pyramid schemes. It required all types of token issuance financing activities to cease immediately from the date of the announcement, and organizations and individuals that had completed token issuance financing should make arrangements for refunds.
If a project issues tokens to users in mainland China, it falls under a regulatory high-pressure line.
KYC, KYT, and AML
Regarding the arrest of Multichain mentioned in the introduction, according to public media reports, it was involved in money laundering for criminal groups, with significant amounts involved. Due to certain characteristics of cross-chain technology, such as anonymity and difficulty in tracking, it is easily targeted by criminal groups as a tool for money laundering.
Specifically, cross-chain technology involves asset transfers between multiple different blockchain networks, some of which may have higher anonymity and privacy protection features, such as zero-knowledge proofs or privacy coins, making it easier for money launderers to hide the sources and destinations of their fund flows. Additionally, tracking and monitoring these transactions becomes more complex due to the involvement of multiple blockchain networks. Some cross-chain protocol designs also make transaction records harder to track or monitor, providing more opportunities for money laundering activities.
According to statistics from OKLink Research Institute, money laundering, fraud, pyramid schemes, and gambling were the four most common forms of virtual currency crime in 2022, with 54.72% of virtual currency crimes related to money laundering and 21.13% related to fraud.
One significant reason why governments dislike virtual currencies is that they have been misused by bad actors. Once criminal groups are targeted by regulatory authorities, cross-chain projects that assist in providing support for the criminal assets of these groups naturally cannot escape responsibility. Moreover, cross-chain projects certainly cannot defend themselves by claiming technical neutrality. In August 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned the mixer Tornado Cash, stating in the sanctions documents that Tornado had been used to launder over $7 billion in crypto assets since its creation in 2019, including over $455 million in crypto assets stolen by the North Korean hacker group Lazarus Group from two blockchain applications.
Implementing KYC and AML can effectively reduce the aforementioned risks.
KYC (Know Your Customer): Designing and implementing effective KYC processes is the first step to ensuring business compliance. This includes collecting and verifying users' identity information, such as name, address, identification documents, and other relevant data. Ensure that the KYC process complies with local laws and regulations and is continuously updated and reviewed. It is important to note that when collecting and processing the aforementioned personal data, compliance with privacy regulations must be ensured, and users should be clearly informed about how their data will be collected and used. KYC is more suitable for the fiat currency world, while KYT is more suitable for the blockchain world.
KYT (Know Your Transaction): KYT is a process used by financial institutions to monitor and track whether financial transactions involve fraud or suspicious activities. KYT can help financial institutions identify the sources and destinations of each transaction, assess transaction risks, take appropriate measures, and report suspicious transactions to regulatory authorities. KYT differs from the KYC commonly used in traditional finance. KYC primarily focuses on customer identity information, emphasizing the static identity of specific individuals/institutions, while KYT focuses on the dynamic transaction processes of customers. In traditional finance, KYT is currently a bonus, but in virtual asset transactions, KYT may become a necessity for risk management.
The reason is that, in the blockchain world, there is no requirement to provide a large number of identity verification materials, as is the case when opening a bank account. In the crypto world, the principle for account creation is to rely on oneself, allowing for the anonymous creation of countless on-chain addresses. In this context, it is difficult to ascertain the true identity of the other party through a string of garbled wallet addresses, let alone prevent money laundering. KYT will help blockchain users identify which addresses and transactions pose risks, find suspicious illegal transaction addresses, and trace back to the starting and ending points of transactions. Suspicious transaction behaviors, trading addresses on the dark web, their associated addresses, and KYC records of certain addresses on exchanges can link on-chain addresses to corresponding entities, thereby connecting the anonymous on-chain world with real-world identities.
AML (Anti-Money Laundering): Implement effective transaction monitoring mechanisms to identify and report any suspicious or unusual transaction activities. Utilize technological tools and systems to monitor customer transaction patterns, fund flows, and risk behaviors, and take necessary measures for investigation and reporting in a timely manner.
Effective KYC, KYT, and AML measures can reduce risks associated with money laundering, terrorist financing, and other financial crimes, and build trust and reputation, providing a safer and more reliable environment for businesses and users while ensuring the safety of the project parties.
Conclusion
As more and more countries and regions incorporate virtual asset anti-money laundering into regulatory frameworks, institutions involved in the issuance and circulation of virtual assets inevitably need to supplement KYC due diligence with KYT to meet compliance requirements from regulatory authorities.
Cross-chain entrepreneurs must prioritize legal risk management while pursuing technological innovation and business model exploration. Only in this way can they ensure their own safety, and only on the basis of their safety can there be long-term development of the project and security of user assets.
