Abnormally large outflows from the Multichain MPC bridge platform on July 6 have sparked fears that an exploit could be underway. Over $102 million worth of crypto has been withdrawn from Multichain’s Fantom bridge on the Ethereum side, as well as $666,000 from Dogechain and $5 million from Moonriver.
Multichain likely hacked. Exit all multichain assets. Good idea to revoke approvals to multichain bridge if you had any
— Curve Finance (@CurveFinance) July 6, 2023
On July 6, 7,214 Wrapped Ether (WETH) tokens (worth $13.6 million), 1,024 Wrapped Bitcoin (WBTC) (worth $31 million) and $58 million worth of US Dollar Coin (USDC) were withdrawn from the Fantom bridge’s Ethereum smart contract, with a total of approximately $102 million in cryptocurrency withdrawn.
In addition, the Dogechain bridge’s Ethereum contract saw a withdrawal of $666,000, which represented more than 86% of its total deposits, leaving only around $100,000 worth of assets remaining in the bridge. $5,872,661 worth of USDC and Tether (USDT) were withdrawn from the Multichain Moonriver bridge contracts on Ethereum, leaving only around $700,000 remaining on it.
Several on-chain sleuths took to Twitter to label the event as a possible exploit. Blockchain security firm Peckshield tagged the Multichain team in a post showing the Fantom bridge transactions, saying “You may want to take a look.”
— PeckShield Inc. (@peckshield) July 6, 2023
Cointelegraph could not confirm by the time of publication whether the contracts were “drained” or whether a large amount of funds were simply withdrawn by users.
Cointelegraph reached out to the Multichain team on their Discord channel, but did not get a response by the time of publication. Multichain’s last post on Twitter was June 29.
Multichain is a multi-party computation (MPC) bridging network. When a user wants to bridge assets from one chain to another, the Multichain network first confirms that the assets have been locked on the first chain and then mints derivative assets on the second chain.
When a withdrawal is made, the network goes through this process in reverse: it first confirms that the derivative coins have been destroyed on the second chain, then releases the assets backing them on the first chain.
The Multichain team claims that the cryptographic keys controlling this process are split into multiple shards and distributed throughout the network. This should theoretically prevent any single person or group from being able to make unauthorized withdrawals.
Multichain has been suffering from unspecified technical problems over the past few weeks. On May 31, the team announced that their CEO had gone missing and they were experiencing “multiple issues due to unforeseeable circumstances,” leading to delayed transactions. On July 5, Binance halted withdrawals of some Multichain derivative tokens due to the network failing to process transactions in a timely manner.