Abnormally Large Outflows from Multichain MPC Bridge Spark Exploit Fears
Abnormally large outflows from the Multichain MPC bridge platform are sparking fears of a multi-million dollar exploit.
On July 6, observers noticed the following withdrawals:
- $102 million worth of crypto from Multichain’s Fantom bridge on the Ethereum side
- $666,000 from Dogechain
- $5 million from Moonriver
Specifically, on July 6, the following amounts were withdrawn from the Fantom bridge’s Ethereum smart contract:
- 7,214 Wrapped Ether (WETH) tokens (worth $13.6 million)
- 1,024 Wrapped Bitcoin (WBTC) (worth $31 million)
- $58 million worth of US Dollar Coin (USDC)
These withdrawals amounted to approximately $102 million in cryptocurrency being withdrawn.
In addition, the Dogechain bridge’s Ethereum contract saw a withdrawal of $666,000, which represented more than 86% of its total deposits, leaving only around $100,000 worth of assets remaining in the bridge. Furthermore, $5,872,661 worth of USDC and Tether (USDT) were withdrawn from the Multichain Moonriver bridge contracts on Ethereum, leaving only around $700,000 remaining.
Several on-chain sleuths took to Twitter to label the event as a possible exploit. Blockchain security firm Peckshield tagged the Multichain team in a post showing the Fantom bridge transactions, saying, “You may want to take a look.”
This led one commenter to remark that it looks like “another massive hack.” On-chain investigator Spreek posted the Dogechain transactions with the comment “dogechain multichain drained.”
Cointelegraph could not confirm by the time of publication whether the contracts were “drained” or whether a large amount of funds were simply withdrawn by users.
Cointelegraph reached out to the Multichain team on their Discord channel but did not receive a response by the time of publication.
In a later tweet, Multichain informed its Twitter followers that the movements were abnormal and the team “is not sure what happened and is currently investigating.”
Multichain is a multi-party computation (MPC) bridging network. When a user wants to bridge assets from one chain to another, the Multichain network first confirms that the assets have been locked on the first chain and then mints derivative assets on the second chain.
When a withdrawal is made, the network goes through this process in reverse: it first confirms that the derivative coins have been destroyed on the second chain, then releases the assets backing them on the first chain.
The Multichain team claims that the cryptographic keys controlling this process are split into multiple shards and distributed throughout the network. This should theoretically prevent any single person or group from being able to make unauthorized withdrawals.
Multichain has been suffering from unspecified technical problems over the past few weeks. On May 31, the team announced that their CEO had gone missing, and they were experiencing “multiple issues due to unforeseeable circumstances,” leading to delayed transactions. On July 5, Binance halted withdrawals of some Multichain derivative tokens due to the network failing to process transactions in a timely manner.