The crosschain bridge Multichain has been hacked again. From what is known, assets worth $130 million were initially stolen, followed by another $120 million. The cause is currently unknown.
On July 7, Multichain’s Twitter account announced that the “lockup assets” on Multichain’s MPC address had been “abnormally” transferred to another, unknown address. The team is not sure what happened and is currently investigating. It stopped and discouraged users from using all multichain services and recommended revoking all multichain shares in the wallet.
The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.
— Multichain (Previously Anyswap) (@MultichainOrg) July 6, 2023
The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals…
Multichain is what is known as a bridge: a platform that connects numerous blockchains by storing liquidity in different tokens on different blockchains. In a world with different blockchains, such bridges are important – but because of the many blockchains involved, they are often the weakest link in a chain.
Also Read:
- Did Nikola Tesla Predicted Bitcoin 100 Years before Satoshi?
- UN to begin oil transfer from decaying supertanker off Yemen next week
- US government moves almost 10,000 Bitcoin – a danger for the market?
Most of the initially stolen tokens were in the Bridge to Fantom (FTM), $102 million. In total, WBTC, USDC, DAI, ETH and LINK were the most stolen, together worth $130 million. Compared to the total $1.26 billion worth of tokens locked into Multichain, the losses are relatively manageable and one could hope that the damage would be limited.
From yesterday to today, however, a second wave of debits apparently began. These payouts are also considered “abnormal”. They again mainly affect DAI, ETH, USDC, USDT and WBTC, on the Arbitrum, BNB, Avalance, Cronos, Polygon, Moonbeam, Optimism and Ethereum blockchains, totaling around $110 million.
In the past 12 hours, Multichain experienced a large number of abnormal outflows again, and all the abnormal outflow assets were basically transferred to the new address: 0x1e…477b, worth about 117 million US dollars.
— Wu Blockchain (@WuBlockchain) July 11, 2023
11.91m DAI, 13,146 ETH, 10.1m USDC, 64m USDT, 52 BTC…
What exactly happened is largely unknown. A common theory is that a private key used to sign transactions going across the bridges was compromised. The reason for this assumption is that bridges to or from countless blockchains are affected, which is why a common vulnerability or error in the smart contracts is unlikely. Instead, everything points to a bug or compromised key in the multichain platform itself.
Exchanges like Binance have temporarily suspended multichain deposits. Circle, the issuer of the USDC tokens, also responded promptly and froze $63 million worth of tokens.
Immediately after the hack, the first scammers appeared. They copied the Fantom Foundation’s social media profiles and claimed to issue FTM tokens to victims of the hack, which could be collected by logging into certain sites with the wallet. And so forth.
Things aren’t going too well for the multichain bridge this year. As recently as late May, CEO Zhao Jun went missing , leaving the team unable to gain access to a key server to maintain the bridge. As a result, the bridges to or from some lesser-known blockchains had to be suspended, such as Public Mint, Ekta or ONUS. Zhaojun was rumored to have been arrested in China, along with associates at the Yuan-based stablecoin Trust Reserve. His arrest may be related to the compromised key, possibly by corrupt officials.
Multichain was hacked at the end of January 2022. However, “only” three million dollars were stolen from this. Unlike after this hack, the bridge protocol is unlikely to get off so lightly after losing more than $200 million.
