Abnormally large outflows from the Multichain MPC bridge platform are sparking fears of a multimillion-dollar exploit.
On July 6, observers noticed that approximately $102 million worth of crypto had been withdrawn from Multichain’s Fantom bridge on the Ethereum side, as well as $666,000 from Dogechain and $5 million from Moonriver.
Multichain likely hacked. Exit all multichain assets. Good idea to revoke approvals to multichain bridge if you had any
— Curve Finance (@CurveFinance) July 6, 2023
On July 6, 7,214 Wrapped Ether (WETH) tokens worth $13.6 million, 1,024 Wrapped Bitcoin (WBTC) worth $31 million and $58 million worth of USD Coin (USDC) were withdrawn from the Fantom bridge’s Ethereum smart contract — approximately $102 million in cryptocurrency in total.
In addition, the Dogechain bridge’s Ethereum contract saw a withdrawal of $666,000, which represented more than 86% of its total deposits, leaving only around $100,000 worth of assets remaining in the bridge. A total of $5,872,661 worth of USDC and Tether (USDT) were withdrawn from the Multichain Moonriver bridge contracts on Ethereum, leaving only around $700,000 remaining on it.
Several on-chain sleuths took to Twitter to label the event as a possible exploit. Blockchain security firm PeckShield tagged the Multichain team in a post showing the Fantom bridge transactions, saying, “you may want to take a look.”
Hi @MultichainOrg you may want to take a look: https://t.co/D4GKGpuBtw pic.twitter.com/3qURqGmes8
— PeckShield Inc. (@peckshield) July 6, 2023
This led one commenter to remark that it looks like “another massive hack.” On-chain investigator Spreek posted the Dogechain transactions with the comment, “dogechain multichain drained.”
Cointelegraph could not confirm by the time of publication whether the contracts were “drained” or whether a large amount of funds were simply withdrawn by users.
Cointelegraph reached out to the Multichain team on their Discord channel but did not get a response by publication.
In a later tweet, Multichain told its Twitter followers that the movements were abnormal and the team “is not sure what happened and is currently investigating.”
The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally. The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals…
— Multichain (Previously Anyswap) (@MultichainOrg) July 6, 2023
Related: Poly Network urges users to withdraw after exploit affects 57 crypto assets
Multichain is a multi-party computation (MPC) bridging network. When a user wants to bridge assets from one chain to another, the Multichain network first confirms that the assets have been locked on the first chain and then mints derivative assets on the second chain.
When a withdrawal is made, the network goes through this process in reverse: it first confirms that the derivative coins have been destroyed on the second chain, then releases the assets backing them on the first chain.
The Multichain team claims that the cryptographic keys controlling this process are split into multiple shards and distributed throughout the network. This should theoretically prevent any single person or group from being able to make unauthorized withdrawals.
Multichain has been suffering from unspecified technical problems over the past few weeks. On May 31, the team announced that its CEO had gone missing and it was experiencing “multiple issues due to unforeseeable circumstances,” leading to delayed transactions. On July 5, Binance halted withdrawals of some Multichain derivative tokens due to the network failing to process transactions in a timely manner.
Asia Express: HK crypto ETFs on fire, Binance warns on Maverick FOMO, Poly hack
Update July 7, 12:41 am UTC: This article has been updated to include the most recent Twitter post and update from Multichain.