Bad news for users of the Multichain multi-party computation (MPC) bridge network, as several contracts saw abnormal outflows on 6 July, totalling over $100 million in missing funds. Blockchain security company Peckshield was one of the first to identify the potential exploit and tweeted to highlight a number of suspicious transactions.
On-chain data indicates that Multichain’s Fantom bridge contract on Ethereum was the first target, seeing withdrawals of almost $58 million USDC, 1023.8 wrapped BTC (valued at over $30 million) and 7,214 wrapped Ether (almost $13.5 million) within just half an hour.
An hour later attacks were carried out on the Dogechain bridge’s Ethereum contract, which lost $666,000 (representing over 85% of its total locked value), and the Moonriver bridge contract, which saw $5.87 million worth of USDC and Tether removed, leaving just $700k remaining.
The Multichain team later acknowledged the abnormal movement of assets to an unknown address on Twitter, saying that it was looking into the matter and recommending that users suspend the use of Multichain services and revoke all contract approvals.
Multichain’s social media feeds have been uncharacteristically quiet of late, save for a couple of tweets last week congratulating Circle on its Cross-Chain Transfer Protocol efforts.
Its last significant post was on May 31, which explained that the protocol had experienced multiple issues over the past few days due to unforeseen circumstances. It also claimed that the team had undertaken all possible efforts to rectify the situation but was unable to contact the CEO, Zhaojun, to get access to maintain the servers.
With rumors suggesting that Zhaojun may have been arrested by Chinese police, the Multichain team had no option but to suspend service on affected chains for which it did not have server access. There had been no further reported sightings of or contact with Zhaojun by the time of the potential exploit.
To add to these woes, just days before the recent loss of funds from the network, Binance had stopped deposits and withdrawals for Multichain-bridged tokens on certain networks, including Fantom, Ethereum and BNB Smart Chain.
According to a tweet from security firm CertiK, which had audited Multichain on two occasions and not raised any serious concerns with its codebase:
“This exploit appears to be the result of a private key compromise, and as such falls outside the scope of the audits we conducted.”
Private key compromise, drained funds, missing CEO?… it seems that there may be more of this story still to Observe.
