< Back to all articles

Cross-chain Risks: Remembering Multichain Hack

October 18, 2023

On July 7, 2023, the cross-chain bridge protocol Multichain suffered from “unauthorized withdrawals”. Experts, users, and crypto security experts speculated about possible causes and explanations, with some arguing that it might be an inside job. Nevertheless, this incident has left many ecosystem participants and crypto enthusiasts confused and worried, and rightfully so. 

The crypto industry continues evolving, and its technologies – adapting and improving. Multichain has lost over $125 million, making it one of the largest crypto hacks to date. Such disastrous events remind crypto users and developers that there is still so much to learn, invent, and build before the industry can become what we all wish it to become – a truly secure, accessible, and convenient space.

Bridges and Their Security Problems

Connecting different blockchains through cross-chain technologies allows for efficient and seamless operations between them. The goal is to overcome the isolated nature of blockchains and create a network that enables users to switch between networks with ease. When talking about cross-chain technology, most people think of cross-chain bridges (learn more about cross-chain bridges in this post). These bridges make it possible for users to transfer coins and tokens between networks without needing a centralized exchange or converting assets.

Although blockchain bridges are a major step toward facilitating blockchain interoperability, they pose several security risks, severe consequences of which the crypto community can regularly see. When blockchains are connected through cross-chain bridges, those bridges can become weak points that might endanger the security of all interconnected blockchains. Hackers usually direct their attention toward bridges' smart contracts or supporting node validators because they are less robust and hence more susceptible than the blockchains themselves. 

One example of such an attack is an infinite mint attack, where a hacker discovers a way to mint an excessive amount of wrapped tokens, causing their supply to reach a harmful level. They can then sell these tokens on DEXes, earning millions of dollars and ultimately crashing token value.

So, why is it so difficult to connect different blockchains? Cryptocurrencies are written in various coding languages and exist in separate virtual environments. Creating the logic to link them is a challenging task, especially when it involves enabling the conversion of multiple tokens. Besides, there is no universal compiler that can automatically convert code from the source chain into a version that can run on a different blockchain network. Another issue is that blockchain bridges are a recent invention, resulting in a limited number of proficient programmers capable of writing and evaluating bridge codes. It means that creating effective practices regarding cross-chain bridges will require time. Meanwhile, users must be extremely cautious.

Multichain Hack and Its Outcomes

Multichain (formerly known as AnySwap) was an infrastructure designed to facilitate cross-chain interactions between different blockchains. It supported over 25 chains and 1100 tokens before ceasing its existence due to a series of hacker attacks and the disappearance of its CEO.

Over $125 million in cryptocurrency was withdrawn from Multichain, with a large portion of around $120 million coming from Fantom bridge. A hacker took several assets from the protocol, including wrapped Ether (wETH), wrapped Bitcoin (wBTC), and USDC. In addition, the attacker withdrew $666,000 from the Dogecoin bridge, resulting in an 85% loss of total deposits. Lastly, $6.8 million in funds, including USDC and Tether, were taken from the Moon River bridge.

Multichain used a multi-party computation (MPC) system to secure its smart contracts. MPC is a process where multiple parties can evaluate a computation without revealing their private data.This system is similar to a multi-signature wallet where the private key is split between multiple parties who work together to carry out transactions. MPC allows individuals to exchange information and learn the answer they need without disclosing who provided which data or relying on an external third party. Unfortunately, the MPC system is still vulnerable if an attacker manages to obtain enough MPC keys. Perhaps this is exactly what happened with Multichain.

Interestingly, the attacker did exchange centrally controlled assets like USDC, which can be frozen by the issuing company (Circle, in this case), along with the addresses holding those assets. It is puzzling, as most hackers typically quickly swap those funds for assets that do not have such kinds of security measures. Circle and Tether have both frozen several addresses holding approximately $65 million of assets stolen from Multichain, preventing attackers from using or transferring them further.

A week after the hack, the Multichain team announced that they ceased operations due to their inability to access the platform and all the suspicious activities. In addition, the MPC node servers were running under Zhaojun's personal cloud server account, and none of the team members had access to it, making it impossible to log in to the MPC servers. After Zhaojun's family confirmed that the Chinese police had confiscated his computers, phones, and hardware devices, there were many speculations about the involvement of the Chinese government in the hack. Additionally, Zhaojun's sister was allegedly involved in transferring the remaining funds to two of her own addresses to preserve the remaining assets before being taken into custody by the Chinese authorities, further complicating the situation. 

Three months have passed, and the situation has not become any clearer, as users are still unable to receive any answers or retrieve their assets.

Final Thoughts

While it can be challenging to foresee cross-chain bridge exploits, there are ways to minimize risk and avoid similar incidents. Conducting in-depth code audits is one method that can assist developers in establishing project standards and help investors assess protocol viability. Even though the Multichain hack likely was caused by compromised keys rather than faulty code, reliable audit reports often specify which sections of protocols are susceptible to private key theft from external addresses, allowing users to make more informed risk assessments. Furthermore, individuals should conduct thorough research before engaging in any protocol transactions.

Another solution for enhancing the security of cross-chain bridges is zero-knowledge technology. It utilizes cryptography instead of validators, thus minimizing attacks on nodes. Kinetex Network uses Zk-SNARKs, a specific type of Zk technology, in its innovative dApp. They allow to eliminate the risks of MEV attacks and prevent price slippages. 

Kinetex Network: Website | Kinetex dApp