Multichain event timeline overview: – 125 million assets mysteriously flowed out – Cross-chain bridge temporarily suspended – Previously received investment from Binance and Sequoia Capital

Multichain event overview: - 125M assets mysteriously transferred out - Cross-chain bridge suspended - Received investment from Binance and Sequoia Capital

Author: Wu Shuo Blockchain

On July 7th, 2023, a large amount of multi-chain assets worth approximately 125 million US dollars flowed out abnormally to multiple wallets, including 122 million assets (57.8m USDC, 1.024k WBTC, 7.214k WETH, 4.178m DAI, 491.657k LINK, 910.654k UNIDX, 1.493m USDT, 9.674m WOO, 1.297m ICE, 1.362m CRV, 134.48 TFI and 502.4k TUSD) flowing out from Multichain:Fantom Bridge; 6.835 million US dollars of assets (4.83m USDC, 1.042m USDT, 780k DAI and 6.122 WBTC) flowing out from Multichain:Moonriver Bridge; and 666.47k USDC flowing out from Multichain:Dogechain Bridge. Currently, the Multichain asset bridge activity has been suspended, with the last transaction remaining at 06:56 UTC+8 on July 7th.

According to the deExplorer browser, some users are discounting their Fantom chain assets through DLN Trade and exchanging them for assets on other chains. Based on the latest transactions, 1 USDC on Fantom can be exchanged for approximately 0.9 USDC on BSC, 0.88 USDT on Polygon, and so on, at a discount of around 10%.

The official Multichain account stated that locked assets on the Multichain MPC address had moved abnormally to an unknown wallet, and that the team was unsure what had happened and is currently investigating. They also advised all users to suspend the use of Multichain services and revoke all contract authorizations related to Multichain.

@Loki_Zeng’s analysis indicates that the abnormal outflow of funds from Multichain has the following characteristics: the transfer of assets took a long time, a test of 2 USDC was conducted before the transfer, each type of asset was transferred to a separate wallet, and there was no further activity afterwards (such as transfer to an exchange, swap, or mixing), and the receiving wallet is completely clean.

Based on these characteristics, it can be deduced that: 1) the transferrer had sufficient time, and considering the technical characteristics of MPC, the transferrer most likely obtained complete control of the private key slice beyond the threshold in some way. 2) The “attack method” is very simple, just a simple transfer operation, without a contract, and with a test, the attacker is most likely not a hacker. 3) The transferor did not take further action or dispose of the assets, and the operator may not have absolute decision-making power.

Multichain historical events

Before it was renamed on July 11, 2021, AnySwap V3 was attacked and lost a total of 2,398,496.02 USDC and 5,509,222.73 MIM in assets. The official analysis stated that the reason for the attack was that the BSC chain had two transactions signed by the same account. If the transactions signed by the same account have the same rsv signature r value, the hacker can reverse-engineer the private key of the account. The AnySwap team reproduced the hacker’s operation method and stated that they will provide full compensation.

On December 21, 2021, Multichain, which had recently changed its name, announced the completion of a $60 million financing round, with Binance Labs leading and participation from Sequoia China, IDG Capital, Three Arrows Capital, DeFiance Capital, Circle Ventures, Tron Foundation, Hypersphere Ventures, Primitive Ventures, Magic Ventures, and HashKey.

On December 23, 2021, a dispute over equity ownership arose at Multichain, which had just completed a huge financing round. Co-founder and CEO Zhao Jun claimed to own 100% of the foundation’s equity, but the FUSION Foundation claimed that Qian Dejun owns 40% equity. Qian Dejun has been involved in the creation of projects such as Quantum Chain, VeChain, and FUSION.

On January 18, 2022, Multichain discovered a critical vulnerability affecting six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) and stated that the vulnerability had been successfully fixed, that all user assets were safe, and that cross-chain transactions were not affected. However, a security company subsequently discovered that the vulnerability had been exploited by hackers to steal funds, and the community called for users to revoke authorization as soon as possible. This security incident resulted in losses of approximately $3 million.

On January 13, 2023, Multichain launched its next-generation technology product, zkRouter, and released the zkRouter white paper. zkRouter is a trustless, generic cross-chain infrastructure that has the advantages of trustless dependency, on-chain light computation, generality, low latency, and no asset collateralization. As Multichain’s latest solution, zkRouter uses ZKP (Zero Knowledge Proof) to connect multiple blockchain networks and achieve seamless interoperability.

On March 15, 2023, Multichain announced that its total transaction volume had exceeded $100 billion, with over 830,000 cross-chain users, 5.04 million cross-chain transactions, an average single cross-chain fund of approximately $20,000, and support for more than 3,400 types of assets across 83 connected public chains, with cross-chain liquidity exceeding $1.8 billion.

On May 24, 2023, multiple users reported abnormal delays in Multichain’s cross-chain fund transfers. Multichain first responded on Discord, stating, “It’s because the upgrade of the back-end node is taking longer than expected, and all affected transactions will arrive after the upgrade is completed.” Later, Multichain stated, “Some cross-chain routes are unavailable due to force majeure, and the time for service restoration is unknown. Once the service is restored, pending transactions will be automatically credited.” Meanwhile, Alfred Xu, a co-founder of Multichain, stated in the Telegram community with regard to the founder’s arrest by the police, “The team is working normally.” On May 25, Fusion Foundation founder Qian Dejun stated that he could not currently contact Multichain founder Zhaojun and said, “Let’s see if we can provide technical or other assistance, most importantly, user asset safety and well-being.”

Following the impact of Multichain, various parties took action.

On May 25, 2023, Binance announced that it would suspend deposits of certain bridged token networks, such as POLS-BSC, ACH-BSC, BIFI-FTM, while waiting for clarification from the Multichain team. On the same day, Andre Cronje (AC) stated that the Fantom Foundation had stopped providing liquidity for the MULTI token on SushiSwap. On the 27th, due to concerns about the stability of the main USDC asset anyUSDC on Multichain and Fantom, the LayerZero cross-chain bridge protocol Stargate released a proposal to disable the Fantom Pool and cross-chain path, set STG release in the Fantom Pool to 0, disconnect the Fantom Pool from other liquidity pools, remove and unlock anyUSDC POL via Multichain, and then deposit POL into the Ethereum USDC Pool, and whitelist existing LPs.

On June 1, 2023, Multichain officially tweeted that over the past two days, Multichain protocol had experienced multiple issues due to unforeseeable circumstances. The team had done everything possible to maintain the protocol’s operation, but we are currently unable to contact CEO Zhaojun and obtain the necessary server access to perform maintenance. This afternoon, the scanning node network of Router5 had issues, affecting normal cross-chain services of some chains. Moreover, this problem is beyond the team’s current authority and capability. To safeguard the interests of users, we have decided to suspend corresponding cross-chain services on the affected chains on the UI. The same issue occurred on Router2 last week. We appreciate users’ understanding and request that our partners stop directly calling Multichain protocol smart contracts for cross-chain operations on the affected chains. All affected chains are: Kekchain, PublicMint, Dyno Chain, Red Light Chain, Dexit, Ekta, HPB, ONUS, Omax, Findora, Planq.