December 11, 2023

The multi-chain MPC bridge platform has seen unusually large outflows, raising concerns that the platform could be the target of a multi-million dollar attack.

According to available information, more than $130 million worth of cryptocurrencies have been moved from the bridge platform.

Multi-chain capital outflow

The outflow of funds was first revealed on July 6, when observers noticed that $102 million worth of cryptocurrency was withdrawn from the multi-chain Fantom bridge on the Ethereum side. Additionally, $666,000 worth of Dogecoin and $5 million from Moonriver were also withdrawn. Additionally, 7,214 Wrapped Ether (WETH) tokens worth $13.6 million, 1,024 Wrapped Bitcoins (WBTC) worth $31 million, and USDC stablecoins worth $58 million were withdrawn from the Fantom Bridge’s Ethereum smart contract. currency. As of the end of the day, the total value of removed cryptocurrencies exceeded $100 million.

Additionally, the Dogecoin Bridge’s Ethereum contract withdrew approximately $666,000, more than 86% of its total deposits. As a result, only about $100,000 worth of assets remain on the bridge. USDT and USDC worth more than $5.8 million were also withdrawn from the multi-chain Moonriver contract on Ethereum, leaving only about $700,000 in the Moonriver bridge contract.

Possible exploit?

Several on-chain investigators warned the community on Twitter that the incident could be a vulnerability. Curve Finance was one of the first companies to warn users that Multichain is likely to be hacked and that they should revoke all approvals.

“Multichains can be hacked. Exit all multichain assets. Good idea to revoke approval for multichain bridges, if any.”

Blockchain security firm PeckShield flagged Multichain in a Twitter thread, highlighting the Phantom chain transaction and urging the team to take a closer look. Another commentator said the whole fiasco looked like another massive hack, while on-chain investigator Spreek posted Dogecoin transactions urging the team to look at them. However, Multichain did not respond to related tweets. Meanwhile, Fantom Foundation CEO Michael Kong said the Fantom team is investigating the issue.

Multichain finally responded

Multichain eventually responded to the user in a subsequent tweet, stating that there was indeed an anomaly in the flow of funds and that the team was “not sure what happened and is currently investigating the issue.” Multichain said on Twitter,

“Abnormal transfer of locked assets on the Multichain MPC address to an unknown address. The team is not sure what happened and is currently investigating. It is recommended that all users suspend the use of Multichain services and revoke all Multichain-related contract approvals.”

The growing problem of multiple chains

Multichain is a multi-party computation (MPC) bridge network that enables users to bridge assets between chains. When a user wishes to bridge an asset, Multichain first confirms whether the asset is locked on the first chain. Once confirmed, the network mints the derivative asset on the second chain. When the user wishes to withdraw funds, the process is repeated, but in the opposite direction. It will first confirm whether the derivative assets on the second chain have been destroyed, and then release the locked assets back to the first chain.

The Multichain team claims that the encryption keys that control the entire process are divided into shards and then distributed throughout the network. In theory, this should prevent unauthorized withdrawals by any entity.

However, after suffering unspecified technical issues over the past few weeks, Multichain has been in the news for all the wrong reasons. The team announced on May 31 that the CEO was missing, and the network experienced numerous issues due to unforeseen circumstances, causing significant delays in transactions. Binance It was also announced that due to problems with the Multichain network, the withdrawal of some Multichain derivative tokens will be suspended.

Disclaimer: This article is for informational purposes only. It does not provide or be intended to be used as legal, tax, investment, financial or other advice.