Last week, cross-chain bridge protocol Multichain experienced unusually large, unauthorized withdrawals to the tune of over $127 million in assets. The team announced that it was launching an investigation, shutting down the asset bridge, and advising users to cancel any contract permissions.
The unprecedented suspicious outflows raised concerns of a hack and even led to charges of rug pulling as a number of keen-eyed on-chain sleuths launched their own investigations. Chainalysis, a leading blockchain analytics platform, stated that it was one of the biggest crypto hacks on record.
The data tracking company suggested in a report dated July 10 that the massive withdrawals appeared to be the consequence of an insider hack or rug pull rather than just a function aberration or coding errors.
This is due to the fact that, unlike cross-chain protocols, which get hacked due to faulty experimental designs, Multichain has recently encountered some significant problems unrelated to the design of its protocol, leading to public suspicions that the most recent exploit may have been created by insiders.
Out of the $127 million worth of cryptocurrency, nearly $120 million came from Multichain’s Fantom Bridge. The stolen assets consisted of wrapped Ether [wETH], wrapped Bitcoin [wBTC], and USDC. In addition, the attacker took $666k from the Dogecoin bridge, losing 85% of all deposits, and $6.8 million from the Moon River bridge, taking money in USDC and Tether with it.
Multichain’s Administrator Keys Could Be Hacked
Despite being secured by a multi-party computation [MPC] system, Multichain’s smart contracts are still susceptible to attackers who might have access to enough MPC keys as in the recent case, Chainalysis stated.
Another scenario involves compromised administrator keys. Even though it’s possible that those keys were acquired by an outside hacker, many security professionals and other analysts believe that this exploit could be a case of classic rug pull because of Multichain’s recent woes.
Suspicions further gained teeth after the CEO of Multichain, who goes by the moniker Zhaojun, mysteriously vanished. On May 31, 2023, the platform acknowledged that it was unable to get in touch with him and, as a result, could not carry out the essential technical maintenance on the platform.
It didn’t end here, as the team was forced to cease operations in more than 10 chains following rumors of Zhaojun’s alleged arrest in China and the seizure of $1.5 billion of the protocol’s smart contract funds.