Multichain, the cross-chain bridge, is once again caught in controversy

Multichain, a decentralized exchange (DEX) for trading cryptocurrencies across different blockchain networks, has faced several controversies. In May 2021, a security breach resulted in the loss of over $30 million worth of cryptocurrency. In June 2021, Multichain's development team announced a new governance model that faced criticism from some members of the community. Then, in July 2021, accusations of token price manipulation arose when the token price suddenly skyrocketed. Despite these issues, Multichain remains a popular platform for trading cryptocurrencies.

Edit | Wu talks about blockchain

On July 7, 2023, a large amount of multi-chain assets worth about $125 million flowed abnormally out of the cross-chain protocol Multichain to multiple wallets, including 122 million assets (57.8m USDC, 1.024k WBTC, 7.214k WETH, 4.178m DAI, 491.657k LINK, 910.654k UNIDX, 1.493m USDT, 9.674m WOO, 1.297m ICE, 1.362m CRV, 134.48 TFI and 502.4k TUSD) flowing out of Multichain:Fantom Bridge, 6.835 million assets (4.83m USDC, 1.042m USDT, 780k DAI and 6.122 WBTC) flowing out of Multichain:Moonriver Bridge, and 666.47k USDC flowing out of Multichain:Dogechain Bridge. Currently, Multichain asset bridge activities have been suspended, and the last transaction was on July 7 at 06:56 UTC+8.

According to the deExplorer browser, some users are exchanging Fantom-chain assets at a discount through DLN Trade for assets on other chains. Based on the latest transactions, 1 USDC on Fantom can be exchanged for about 0.9 USDC on BSC, 0.88 USDT on Polygon, and so on, at around a 10% discount.

Multichain’s official account stated that the locked assets on the Multichain MPC address were abnormally moved to an unknown wallet, and the team is unsure of what happened and is currently investigating. The team also recommends that all users suspend the use of Multichain services and revoke all contract authorizations related to Multichain.

• Some thoughts on heavy collateralization: What are the opportunities and challenges?
• Analysis of the Massive Abnormal Outflow of Multichain Tokens: Not Simply a Hack, Nor Loss of Complete Control due to Uncontrollable Factors
• A glimpse of the emerging new use cases for ZK: zkML, ZK Games, ZK ID

@Loki_Zeng believes that the abnormal outflow of funds from Multichain has the following characteristics: the asset transfer lasted for a long time, a small test of 2 USDC was conducted before the transfer, each asset was transferred to an independent wallet, and there was no further action afterwards (such as transferring to an exchange, swap, or mixing). The receiving wallet is completely clean.

Based on these characteristics, it can be deduced that: 1) The transferor had sufficient time. Considering the technical characteristics of MPC, the transferor most likely obtained control of more than the threshold of private key fragments through some means. 2) The “attack method” is very simple, which is a simple transfer operation without contracts, and there was even a test. The attacker is most likely not a hacker. 3) The transferor did not carry out further disposal and realization, and the operator may not have absolute decision-making power.

Multichain Historical Events

AnySwap V3, which was renamed on July 11, 2021, was previously attacked. A total of 2,398,496.02 USDC and 5,509,222.73 MIM assets were lost. The official analysis indicates that the reason for the attack was that two transactions with the same account signature appeared on the BSC chain. If the transactions with the same account signature have the same rsv signature r value, the hacker can deduce the private key of the account in reverse. The AnySwap team reproduced the operation method of the hacker and stated that it will provide full compensation.

On December 21, 2021, Multichain, which was renamed, announced that it had completed a $60 million financing round led by Binance Labs, with participation from Sequoia China, IDG Capital, Three Arrows Capital, DeFiance Capital, Circle Ventures, Tron Foundation, Hypersphere Ventures, Primitive Ventures, Magic Ventures, and HashKey.

On December 23, 2021, Multichain, which had just completed a huge financing round, became embroiled in a dispute over equity. Co-founder and CEO Zhao Jun claimed to own 100% of the foundation’s equity, but the FUSION Foundation claimed that Qian Dejun owned 40% of the equity. Qian Dejun has been involved in the founding of projects such as Quantum Chain, VeChain, and FUSION.

On January 18, 2022, Multichain discovered a critical vulnerability that affected six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) and announced that the vulnerability had been successfully fixed, and all users’ assets were safe, with cross-chain transactions not affected. However, a security firm later discovered that the vulnerability had been exploited by hackers to steal funds, and the community urged users to revoke authorizations as soon as possible. The security incident caused losses of approximately $3 million.

On January 13, 2023, Multichain launched its next-generation new technology product, zkRouter, and released the zkRouter white paper. zkRouter is a trustless, generic cross-chain infrastructure that has the advantages of trustlessness, on-chain light computation, generality, low latency, and no asset collateral. As Multichain’s latest solution, zkRouter uses Zero Knowledge Proof (ZKP) to connect multiple blockchain networks and achieve seamless interoperability.

On March 15, 2023, Multichain announced that its total transaction volume had exceeded $100 billion. The total number of cross-chain users surpassed 830,000, the number of cross-chain transactions was 5.04 million, the average single cross-chain capital was around $20,000, Multichain currently connected 83 public chains, supported more than 3,400 types of cross-chain assets, and cross-chain liquidity exceeded $1.8 billion.

On May 24, 2023, multiple users reported abnormal delays in cross-chain funds arriving on Multichain. Multichain initially responded on Discord, stating, “It is because the backend node upgrade took longer than expected, and all affected transactions will arrive after the upgrade is completed.” Later, it stated, “Part of the cross-chain routing cannot be used due to force majeure, and the time to restore service is unknown. After the service is restored, the pending transactions will be automatically credited.” Meanwhile, Multichain co-founder Alfred Xu responded to the arrest of the founder by police in the Telegram community, saying, “The team is working normally.” On May 25, Qian Dejun, founder of Fusion Foundation, said that he was unable to contact Multichain founder Zhaojun and “would see if he could provide technical or other assistance, but the most important thing is the security of user assets and the safety of people.”

Afterwards, all parties affected by Multichain took measures.

On May 25th, 2023, Binance announced that it would suspend deposits of certain bridged token networks, such as POLS-BSC, ACH-BSC, and BIFI-FTM, while waiting for clarification from the Multichain team. On the same day, Andre Cronje (AC) stated that the Fantom Foundation had stopped providing liquidity for the MULTI token on SushiSwap. On the 27th, due to concerns about the stability of the main USDC assets of Multichain and Fantom, LayerZero cross-chain bridge protocol Stargate released a proposal to disable the Fantom Pool and cross-chain path, set STG release in the Fantom Pool to 0, disconnect the Fantom Pool from other liquidity pools, remove and unlock anyUSDC POL through Multichain, then deposit POL into the Ethereum USDC Pool, and whitelist existing LP.

On June 1st, 2023, Multichain officially tweeted that over the past two days, due to unforeseeable circumstances, the Multichain protocol had experienced multiple issues. The team had done everything possible to maintain the operation of the protocol, but we are currently unable to contact CEO Zhaojun and obtain the necessary server access to perform maintenance. This afternoon, the scanning node network of Router5 had problems, affecting the normal cross-chain services of some chains. Moreover, this issue is beyond the current abilities and permissions of the team. In order to protect the interests of users, we have decided to temporarily suspend corresponding cross-chain services for affected chains on the UI. Last week, the same problem occurred on Router2. We appreciate users’ understanding and request that our partners stop directly calling the Multichain protocol smart contract for cross-chain operations on affected chains. The affected chains are: Kekchain, PublicMint, Dyno Chain, Red Light Chain, Dexit, Ekta, HPB, ONUS, Omax, Findora, and Planq.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!