Multichain Hack Analysis: A Confusing Case? Involving Approximately $126 Million

Analysis of Multichain Hack: A Complex Case Involving $126 Million

Regarding the Multichain cross-chain bridge project hacking incident, blockchain security audit company Beosin has conducted a review of the basic situation of the event. Based on the analysis of on-chain transaction details and transaction logs, they stated that this theft was not due to a contract vulnerability, but rather was full of suspicious circumstances at every level.

According to analysis of the on-chain transaction details and transaction logs, the theft of coins this time did not originate from a contract vulnerability. The stolen address was a regular account address, and the theft behavior was just the most basic on-chain transfer. Among the multiple stolen transactions, no common features were found, except that they were all transferred to a blank address (with no prior transaction or transaction fee). The time intervals between each transaction varied from a few minutes to more than ten minutes, and the shortest interval between transfers to the same address was one minute, which roughly rules out the possibility of the hacker stealing coins in bulk through a script or program vulnerability. The time intervals between transfers to different addresses were also relatively long, and it is suspected that the hacker created temporary addresses when stealing coins and backed up private key information. There are a total of 6 suspicious addresses and 13 types of stolen coins, and it cannot be ruled out that multiple people were involved in the entire event.

Based on the above behaviors, we speculate that the hacker stole coins through the following methods: 1) penetrating the Multichain backend to obtain permissions for the entire project, and transferring coins to their own newly created account through the backend; 2) hacking into the project team’s devices to obtain the private keys of the address, and directly transferring coins through the private key; 3) internal operations within Multichain, transferring funds and profiting through the pretext of hacker attacks. After the hacker attack, Multichain did not immediately transfer the remaining assets of the address, and it took more than ten hours to announce the suspension of services. The response speed of the project team was too slow. The hacker’s transfer behavior was also very casual, not only involving large transfers but also small transfers of 2 USDT, and the entire time span was large, indicating that the hacker had a high probability of holding the private key.