The Disaster of Fantom’s Pool Fish How Big Are the Vulnerabilities? Can It Save Itself?

Fantom's Pool Fish Disaster How Big Are the Vulnerabilities and Can it Save Itself?

As a result of the Multichain incident, Fantom has also found itself in a precarious situation.

Due to Fantom’s use of Multichain as the main cross-chain bridge for its ecosystem, the impact of the Multichain funds vulnerability (where approximately $118 million in assets were transferred out of the Multichain Fantom bridge contract on July 7th) has directly affected Fantom.

The most immediate manifestation of this is the significant deviation of stablecoins issued by Multichain bridge contracts on top of Fantom. According to SpookySwap, as of the time of writing, USDC-MULTI, fUSDT-MULTI, DAI-MULTI (the Multichain bridge version of stablecoins) are all priced around $0.27.

• Internal strife, coincidences, mistakes, and being arrested for carrying cash the untold story behind the Euler Finance hacker.
• Multichain official confirms that the founder has been taken away, and funds have been transferred by their relatives.
• JPMorgan Chase Ripple wins legal battle against SEC, which may benefit Coinbase.

Although Fantom has managed to freeze $62 million in funds such as USDC and USDT through contact with stablecoin issuers like Circle and Tether, due to the fact that nearly half of the funds in the $118 million hole are pure on-chain assets like WETH and WBTC that cannot be frozen, it is unlikely that this $56 million gap will be filled in the short term through similar means.

In addition, given that Multichain’s official disclosure on Twitter recently stated that the co-founder Zhaojun’s sister is also missing, there may be uncertainties regarding the $151 million funds that were transferred to two EOA wallets (0x1eed63efba5f81d95bfe37d82c8e736b974f477b; 0x48bead89e696ee93b04913cb0006f35adb844537) on July 9th for the purpose of asset preservation. In other words, even if control over the funds is not lost, it is highly likely that it will be difficult to handle this amount of funds in the short term, so this portion of funds can also be considered as a gap.

In short, the current situation is that the Fantom ecosystem is carrying a definite gap of $56 million due to this incident, as well as a potential gap of $151 million.

Lessons from Harmony’s Experience

We can find some similarities between the current situation of Fantom and Harmony’s experience from a year ago.

In June 2022, Harmony’s official cross-chain bridge, Horizon, was attacked by hackers, resulting in a loss of approximately $100 million. Although Harmony tried various ways to recover the stolen funds, they were ultimately unsuccessful.

Since the stablecoins on the Harmony chain were mainly issued through the Horizon bridge contract, there was also a significant deviation problem. This is similar to the current situation of Fantom, and perhaps it can be considered “fortunate” that Fantom, unlike Harmony, is only indirectly responsible as a third party outside of Multichain.

However, on the other hand, Fantom’s choice to use Multichain as the main cross-chain bridge, effectively placing the security of its ecosystem in a precarious situation (Zhaojun’s personal server), is a decision that is questionable.

The unpegging of stablecoins not only means losses for holders, but also affects the development of ecological projects from an ecological perspective.

One obvious manifestation is that some projects will be forced to suffer huge impacts, especially lending protocols. In such events, the unpegging of stablecoins almost always happens in an instant, making it difficult to effectively liquidate lending protocols, resulting in massive bad debts. Aave on the Harmony chain has not yet returned to normal operation, and Geist Finance, the largest lending protocol on Fantom, has also announced permanent closure.

However, the more hidden but more obvious impact is that the unresolved vulnerabilities are a blow to the confidence of all projects in the ecosystem, which is almost like a slow death. In the past year, we have seen too many projects migrate away from Harmony, and similar situations may also occur on Fantom.

Can the vulnerabilities be resolved? What are the lessons?

Of course, it is not entirely impossible for Fantom to patch the holes. Leaving aside the unclear control of the two EOA wallets, in terms of Fantom’s own financial situation (see “AC’s Account of Fantom’s Financial History: From $2 Million to $1.5 Billion”), AC has revealed that as of November 2022, Fantom’s treasury held over 450 million FTM, $100 million stablecoins, $100 million in encrypted assets, and $50 million in non-encrypted assets.

Just from the absolute numbers, Fantom’s treasury reserves are sufficient to cover this vulnerability. However, whether the situation will reach the point where Fantom will tap into the treasury and the community’s stance on this matter are currently unknown.

Considering the Fantom incident and even the earlier Harmony incident, we can see that the “cross-chain dragging down the public chain” is no longer an isolated case but has shown a certain degree of generic risk. From the perspective of public chains, in order to avoid such events from happening again, it is necessary to minimize the systemic impact of cross-chain bridges on the overall operation of the ecosystem.

There may be several potential solutions at different levels: First, the public chain can incubate native stablecoins, which will minimize external risk transmission but also pose the greatest difficulty. Second, collaborate with stablecoin issuers such as Circle and Tether to issue native USDC and USDT on the chain, which is currently the most popular option but also tests the comprehensive development status and business cooperation capabilities of the public chain. Third, it may be possible to minimize reliance on a single cross-chain bridge and balance the quantity of stablecoins issued by various bridge contracts through incentive measures and other regulatory measures.

In summary, cross-chain bridges, as the biggest source of risk in on-chain ecosystems (perhaps without exception), should maintain sufficient security vigilance in combination with various components at different levels. We hope that Fantom can successfully overcome the quagmire and that similar incidents will not happen again.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!