Cross-chain bridge Multichain recently faced a significant setback, losing approximately $126 million worth of crypto assets. The breach, which occurred after a prolonged lockup period since May, has raised suspicions of a hack or rug pull. This incident has exposed the vulnerabilities of cross-chain bridges and reignited concerns about the security of decentralized finance (DeFi) protocols. In this article, we delve into the details of the exploit, analyze the potential causes, and explore measures to mitigate such risks in the future.
The Exploit
On July 7, the team behind Multichain confirmed the occurrence of an exploit that resulted in the abnormal movement of locked assets to an unknown address. PeckShied, a blockchain security firm, traced the stolen tokens, which included Wrapped Bitcoin (WBTC), Chainlink (LINK), and stablecoins such as USDC, USDT, and DAI. Totaling $126 million, these assets were transferred to six new Ethereum addresses. Notably, the largest withdrawals, amounting to $118 million, were made from the Fantom bridge, impacting multiple chains like Ethereum, Avalanche, and Binance Smart Chain. The incident prompted Curve Finance, a leading decentralized stablecoin exchange, to warn users about the potential hack hours before the official confirmation.
Decoding the Exploit
The troubles for Multichain began in late May when users reported transaction delays. Rumors about the arrest of Multichain CEO Zhaojun in China started circulating, and the team confirmed their inability to contact him. Zhaojun holds the private key to the pools affected by the transaction delays. As a result, Binance temporarily suspended certain Multichain token deposits and eventually halted withdrawals on July 5. Finally, on July 7, the assets were moved out of Multichain pools to unknown addresses, exacerbating the already chaotic situation.
The recent challenges faced by Multichain have raised suspicions among experts and analysts regarding the possibility of an inside job or rug pull. The smart contracts governing Multichain are secured by a multi-party computation (MPC) system, which is vulnerable if an attacker possesses sufficient MPC keys. The attacker’s decision to untouched centrally controlled assets like USDC is also puzzling. The sudden disappearance of the CEO and rumors surrounding his alleged arrest in China have fueled speculations about internal misconduct. Furthermore, Multichain has experienced technical problems, including delayed transactions, leading to inconvenience for users. These factors have contributed to the growing skepticism surrounding the incident.
Aftermath and Mitigation
The exploit’s impact was evident in the 20% decline in the governance token MULTI’s value following the official announcement. Following the large-scale withdrawals, the Multichain team initiated an investigation and urged users to pause transactions. A day later, they announced the indefinite suspension of services. Unfortunately, scammers took advantage of the situation by impersonating the Fantom Foundation on Twitter, attempting to deceive affected users with a phishing link. In response to the suspected exploit, stablecoin issuers Circle and Tether took swift action by freezing over $65 million in associated assets.
Closing Thoughts
The mysterious withdrawals from Multichain, resulting in the loss of approximately $126 million in crypto assets, have shaken the DeFi community. The incident raises concerns about the security of cross-chain bridges and highlights the need for stronger measures to protect decentralized protocols. According to DeFiLlama data, bridges account for a significant portion of the $5.44 billion hacked from DeFi protocols to date, representing 48% of the total. As the investigation into the exploit continues, stakeholders must prioritize security audits, transparency, and user education to foster a more resilient and secure DeFi ecosystem.
