TL;DR#
On July 6, 2023, the locked-up assets on the Multichain MPC address were abnormally moved out, resulting in a loss of funds worth approximately $126 million.
Introduction to Multichain#
Multichain is an infrastructure designed to support arbitrary cross-chain interactions.
Vulnerability Assessment#
The root cause of the exploit is likely to be the compromise of the private keys.
Steps#
Step 1:
We attempted to analyze the associated ERC20 token transfers from their address.
Step 2:
The address of the bridge is not a contract address, but an externally owned account (EOA), which indicates that the private key of the bridge might have been exposed or compromised. It is reported that no obvious cross-chain counterpart transactions were detected, suggesting a potential offline verification issue that allowed direct transfers across the cross-chain bridge.
Step 3:
Initially, a suspicious transaction involving the transfer of 2 USDC was sent at 4:21 PM UTC on July 6, 2023.
Step 4:
Roughly two hours after this incident, 1,023.8 WBTC worth approximately $30.9 million was withdrawn from the bridge. It was preceded by another high-asset-valued transfer of about $30.13 million worth of USDC.
Step 5:
At 7:46 PM UTC, the Multichain Moonriver Bridge was being drained of funds, starting with around $4.83 million worth of USDC.
Step 6:
Half an hour after this, the Multichain Dogechain bridge started to drain the held assets.
Step 7:
This exploit is particularly affecting assets on Fantom, Moonriver, and Dogechain chains. The stolen assets on these chains include:
Fantom: $20 million worth of assets in DAI, LINK, and USDT; 1,023.8 WBTC, worth approximately $30.9 million; 7,124 WETH, worth about $13.6 million; and 57 million USDC.
Moonriver: $6.8 million in WBTC, USDT, USDC, and DAI
Dogechain: $600,000 in USDC
Step 8:
So far, all of the stolen funds worth $126.566 million are held at this address and haven't been transferred or sold to a crypto mixing service.
Aftermath#
Approximately 7 hours after the occurrence of the first suspicious transaction, the team acknowledged the incident and stated that the lockup assets on the Multichain MPC address have been moved to an unknown address abnormally and that the team is not completely aware of its root cause.
They recommended that all users suspend the use of Multichain services and revoke all contract approvals related to Multichain.
They further stated that Multichain service has stopped currently, and all bridge transactions will be stuck on the source chains with no confirmed resume time.
Solution#
The reported loss of approximately $126 million in funds from the Multichain Bridge understandably raises alarms among members of the blockchain community. As a precautionary measure, users are advised to exercise caution, temporarily suspend Multichain services, and revoke any contract approvals associated with the platform. By taking swift action and prioritizing security, users can help mitigate the impact of such incidents and contribute to the development of a more secure DeFi ecosystem.
Permissioned interoperability providers face significant risks, particularly when subjected to attacks like the exploit mentioned, which can lead to severe economic repercussions. In May, Multichain encountered several technical challenges, further exacerbating concerns. Adding to the uncertainty, rumors circulated that the CEO, Zhaojun, was potentially detained in China, as the team lost contact with him. However, the team has not yet confirmed his return to the project.
Moreover, it's worth noting that this exploit might not necessarily be a random attack. While it's speculative at this stage, given the nature and magnitude of the exploit, it could potentially be a planned action, underscoring the vital necessity of robust preventive measures.
At Neptune Mutual, we understand the criticality of a secure environment for digital assets and the importance of adequate coverage to counter potential vulnerabilities. Had there been a dedicated coverage pool set up on Neptune Mutual for the Multichain bridge, the damage from this catastrophic exploit could have been significantly alleviated. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Our services eliminate the need for users to provide loss evidence for payout claims. Users could have claimed their payouts soon after the resolution of this incident, thus providing them with immediate financial relief. At present, our marketplace operates on three renowned blockchain networks, namely Ethereum, Arbitrum, and the BNB chain.
Reference Source SlowMist
