Multichain Executor has been ‘draining’ AnySwap tokens: Report

July 11, 2023 Coin Telegraph

anyswap

The contract has used an “anySwapFeeTo” function to transfer hundreds of thousands of dollars worth of tokens to itself, which on-chain sleuth Spreek suspected may have been malicious.

A person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol, according to a July 10 report from on-chain sleuth and Twitter user Spreek. The report follows outflows of over $100 million from Multichain bridges that occurred on July 7, which were reported by the Multichain team as “abnormal.”

The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA pic.twitter.com/gqDaXMBl96
— Spreek (@spreekaway) July 10, 2023

According to Spreek’s July 10 report, “The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA [externally owned account].”

An image attached to the post shows Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe. Blockchain data reveals that this transaction called the “anySwapFeeTo” method on the Multichain Router: V4 contract, causing approximately $15,275.90 worth of anyDAI — a derivative version of the Dai (DAI) stablecoin — to be minted on Ethereum and sent to the Multichain Executor, who then burned it and exchanged it for the underlying DAI backing the asset.

*DAI conversion by the Multichain Executor. Source: Etherscan*

In a separate comment, Spreek said the funds are being sent to the following address: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Ethereum blockchain data shows that this address received the redeemed DAI from the Multichain Executor on July 10, about five minutes after the previous transaction.

Data for BNB Smart Chain (BSC) shows that the Multichain Executor also called the anySwapFeeTo function on its network for $208,997 worth of anyUSDC. This resulted in $208,997 worth of the tokens being converted into its underlying Binance-Pegged USDC, which were subsequently sent to this same address. In other BSC transactions, the contract used this process to convert 50.80 anyBTC, worth $39,251.43 at the time, to equivalent Binance-Pegged Bitcoin and send it to this address.

The transactions add up to approximately $263,524.33 worth of tokens sent to this address through the anySwapFeeTo method.

Spreek said this behavior could be part of the normal functioning of the protocol. On the other hand, a different account had engaged in similar behavior the day before, Spreek stated. The other account eventually sold the drained tokens, providing evidence that it was malicious:

“It is unclear whether this is authorized behavior. Previously the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that that similar address was the actions of a malicious actor.”

The on-chain sleuth theorized that the attacker may be using the anySwapFeeTo function to set fees to an arbitrarily large amount, allowing them to drain users’ funds. This function “[a]pparently allows ANY value to be set, so the address is simply choosing the total value of the token held in that anyToken,” Spreek stated.

The Multichain incident has baffled blockchain analysts, as no one has been able to prove whether it resulted from an exploit or is simply the result of large tokenholders moving their funds between networks. The mystery began on July 7, when over $100 million worth of tokens were withdrawn from the Ethereum side of Multichain’s Fantom, Moonriver and Dogechain bridges and sent to wallet addresses with no previous transactions. These withdrawals represented the majority of funds held on each bridge.

The Multichain team declared that the withdrawals were “abnormal” and told users to stop using the protocol. However, the team did not declare what the source of the anomaly was or could be.

On July 8, stablecoin issuers Circle and Tether froze some of the addresses that received funds tied to the strange transactions. On July 11, blockchain analytics firm Chainanalysis said the incident “looks more like a hack or rugpull and less like a migration.”

The Multichain team says their CEO is missing and that they’ve shut down some bridges due to no longer having access to some of the network’s multi-party computation network servers.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Multichain’s ‘mysterious withdrawals’ have whiffs of a ‘rug pull’ — Chainalysis

July 11, 2023 Coin Telegraph

chainalysis

Chainalysis told Cointelegraph that they were “describing it as a possible rug pull,” based on an analysis of Multichain’s spurious transactions and internal problems.

The multi-million dollar exploit of cross-chain bridge protocol Multichain could have been an internal rug pull, according to blockchain security and analytics firm Chainalysis.

“On July 6, 2023, cross-chain bridge protocol Multichain experienced unusually large, unauthorized withdrawals in what appears to be a hack or rug pull by insiders,” the firm wrote in a July 10 blog post.

The exploit has so far resulted in the loss of more than $125 million.

On July 6, @MultichainOrg experienced unusually large, unauthorized withdrawals, resulting in losses of more than $125M. It’s one of the biggest #crypto hacks on record.

Read on to learn what we know so far: https://t.co/ib2K6sIrID pic.twitter.com/BBY3iU75oB
— Chainalysis (@chainalysis) July 10, 2023

However, Chainalysis believes the exploit may have been the result of administrator keys being compromised, which some suggest means it couldy have been an “inside job.”

*Blockchain security firm SlowMist has also previously suggested the same. Source: Twitter*

In a statement to Cointelegraph, a spokesperson for Chainalysis confirmed the firm is “describing it as a possible rug pull.”

Multichain’s smart contracts use a multi-party computation (MPC) system, which is similar to a multi-signature wallet, the firm explained.

“It is possible that the attacker gained control of Multichain’s MPC keys in order to pull off this exploit,” Chainalysis said before adding:

“While it’s possible those keys were taken by an external hacker, many security experts and other analysts think this exploit could be an inside job or rug pull, due in part to recent issues suffered by Multichain.”

Chainalysis said the most obvious example of these internal issues was the disappearance of Multichain's CEO, known as “Zhaojun,” in late May. The platform also suffered delayed transactions and other technical problems resulting in Binance ending support for several of its bridged tokens on July 7.

Cointelegraph reached out to Multichain for a response to the claims but had not heard back at the time of publication.

Meanwhile, blockchain sleuths have reported more spurious Multichain token movements over the past few hours. The abnormal outflows were the Multichain Executor address draining anyToken addresses across several chains, they reported.

The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA pic.twitter.com/gqDaXMBl96
— Spreek (@spreekaway) July 10, 2023

On July 8, stablecoin issuers Circle and Tether froze more than $65 million in assets tied to the Multichain exploit.

Chainalysis commented that it was interesting that the exploiter “did not swap out of centrally controlled assets like USDC, which can be frozen by the issuing company.”

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Connext founder proposes ‘Sovereign Bridged Token’ standard after Multichain incident

July 10, 2023 Coin Telegraph

Bridges

EIP-7281 will allow token issuers to list official bridges and limit the rate at which they can mint tokens, potentially limiting losses from bridge hacks.

An Ethereum Improvement Proposal (EIP) made on July 7 seeks to standardize how tokens are bridged between networks. The “Sovereign Bridged Token” standard, or EIP-7281, allows token issuers to create canonical bridges across multiple networks.

The proposal was co-authored by Arjun Bhuptani, founder of the Connext bridging protocol. In a July 7 social media post, Bhuptani claimed the protocol would help prevent issues like the July 6 Multichain incident, which some experts have described as a “hack.”

Today's @MultichainOrg hack is a sad reminder of the systemic risks tokens face from bridges.

We believe these risks stem from a single underlying problem:

✨Token Sovereignty✨

We're proposing ERC-7281 (aka xERC20) - an open standard to fix this.https://t.co/k9Vyd55Eb5

1/x
— Arjun | ERC-7281 arc (@arjunbhuptani) July 7, 2023

According to the proposal’s discussion page, it allows token issuers to designate a list of canonical bridges. Only bridges added to this list could mint an official version of the issuer’s token. Issuers can also limit the number of tokens a bridge is allowed to mint. These parameters can be changed at virtually any time by the issuer.

In Bhuptani’s view, this proposal will ensure that “ownership of tokens is shifted away from bridges (canonical or 3rd party) into the hands of token issuers themselves” and will limit losses if a bridge’s security comes into question:

“In the event of a hack or vulnerability for a given bridge (e.g. today’s Multichain hack), issuer risk is capped to the rate limit of that bridge and issuers can seamlessly delist a bridge without needing to go through a painful and time-intensive migration process with users.”

Bhuptani said the proposal would also help prevent user experience problems in decentralized finance, as all bridges will issue the same official token. Over time, this will eliminate the need for multiple versions of the same token, he claimed.

Stablecoin issuer Circle has already created the Cross-Chain Transfer Protocol (CCTP) to list official bridges for its token, US Dollar Coin (USDC). EIP-7281 intends to implement the basic concept behind CCTP but also tries to make this solution apply “more broadly to all tokens,” according to the proposal’s notes.

Both Circle and Tether have blacklisted some of the addresses used in the Multichain incident, preventing $65 million worth of USDC and Tether (USDT) from being moved out of these addresses.

Stablecoin Issuers Circle and Tether Freeze Stablecoins Tied to Multichain Exploit: On-Chain Data

July 10, 2023 The Daily Hodl

Web3 Crypto Project Multichain Hit With $126,000,000 Exploit: PeckShield

July 8, 2023 The Daily Hodl

Multichain MPC bridge sees $100M+ outflows, sparking fears of exploit

July 6, 2023 Coin Telegraph

Bridge

Some Multichain contracts on Ethereum suffered withdrawals of more than half of their deposits, causing on-chain sleuths to fear an exploit is underway.

Abnormally large outflows from the Multichain MPC bridge platform on July 6 have sparked fears that an exploit could be underway. Over $102 million worth of crypto has been withdrawn from Multichain’s Fantom bridge on the Ethereum side, as well as $666,000 from Dogechain and $5 million from Moonriver.

Multichain likely hacked. Exit all multichain assets. Good idea to revoke approvals to multichain bridge if you had any
— Curve Finance (@CurveFinance) July 6, 2023

On July 6, 7,214 Wrapped Ether (WETH) tokens (worth $13.6 million), 1,024 Wrapped Bitcoin (WBTC) (worth $31 million) and $58 million worth of US Dollar Coin (USDC) were withdrawn from the Fantom bridge’s Ethereum smart contract, with a total of approximately $102 million in cryptocurrency withdrawn.

*July 6 withdrawals from the Multichain Fantom Bridge contract on Ethereum. Source: Blockchain data*

In addition, the Dogechain bridge’s Ethereum contract saw a withdrawal of $666,000, which represented more than 86% of its total deposits, leaving only around $100,000 worth of assets remaining in the bridge. $5,872,661 worth of USDC and Tether (USDT) were withdrawn from the Multichain Moonriver bridge contracts on Ethereum, leaving only around $700,000 remaining on it.

Several on-chain sleuths took to Twitter to label the event as a possible exploit. Blockchain security firm Peckshield tagged the Multichain team in a post showing the Fantom bridge transactions, saying “You may want to take a look.”

Hi @MultichainOrg you may want to take a look: https://t.co/D4GKGpuBtw pic.twitter.com/3qURqGmes8
— PeckShield Inc. (@peckshield) July 6, 2023

This led one commenter to remark that it looks like “another massive hack.” On-chain investigator Spreek posted the Dogechain transactions with the comment “dogechain multichain drained.”

Cointelegraph could not confirm by the time of publication whether the contracts were “drained” or whether a large amount of funds were simply withdrawn by users.

Cointelegraph reached out to the Multichain team on their Discord channel, but did not get a response by the time of publication. Multichain's last post on Twitter was June 29.

Multichain is a multi-party computation (MPC) bridging network. When a user wants to bridge assets from one chain to another, the Multichain network first confirms that the assets have been locked on the first chain and then mints derivative assets on the second chain.

When a withdrawal is made, the network goes through this process in reverse: it first confirms that the derivative coins have been destroyed on the second chain, then releases the assets backing them on the first chain.

The Multichain team claims that the cryptographic keys controlling this process are split into multiple shards and distributed throughout the network. This should theoretically prevent any single person or group from being able to make unauthorized withdrawals.

Multichain has been suffering from unspecified technical problems over the past few weeks. On May 31, the team announced that their CEO had gone missing and they were experiencing “multiple issues due to unforeseeable circumstances,” leading to delayed transactions. On July 5, Binance halted withdrawals of some Multichain derivative tokens due to the network failing to process transactions in a timely manner.

Asia Express: HK crypto ETFs on fire, Binance warns on Maverick FOMO, Poly hack

Binance Suspends Eight Altcoins Tied to Bridge Protocol Multichain After May Incident

July 5, 2023 The Daily Hodl

Gate.io denies liquidity problems after Multichain CEO goes missing

May 31, 2023 Coin Telegraph

Coin Telegraph

Some Twitter users posted transactions showing large inflows of MULTI and FTM to Gate.io, leading them to perceive a connection between the two organizations.

Centralized crypto exchange Gate.io denied rumors of illiquidity on May 31, stating that “there are no issues with our operations or withdrawals as rumored.” The statement comes after numerous Twitter channels had alleged that the exchange was experiencing insolvency due to an alleged connection between it and the cross-chain router protocol Multichain (MULTI).

The Gate.io team said the company's "operations are running healthy" and that it is focused on establishing an affiliated trading platform in Hong Kong called Gate.HK.

Rumors about Gate.io's insolvency erupted after a series of events relating to Multichain. On May 24, blockchain analytics firm Arkham Intelligence posted data showing large inflows of MULTI to Gate.io, which Arkham said was related to rumors of the protocol's team "allegedly being arrested in Shanghai.”

Following rumours of the @MultichainOrg team being allegedly arrested in Shanghai, some large holders of $MULTI have began moving funds.

Team wallets moving ~$3M of $MULTI to https://t.co/5ecSG3rKek have also spooked some investors, with $MULTI price falling 26.5% in 24h. pic.twitter.com/p2sQpu9Ass
— Arkham (@ArkhamIntel) May 24, 2023

On May 25, Binance suspended deposits for several bridged tokens that relied on the Multichain protocol, including bridged versions of Polkastarter (POLS), Alpaca Finance (ALPACA), and Fantom (FTM). Binance said these tokens were experiencing delayed transactions and temporarily paused deposits while seeking clarity from Multichain.

On May 31, Multichain posted a statement that its CEO was missing, adding that some of the protocol's routers no longer work because only the CEO had access to the relevant servers. The same day, some Twitter users began posting images of transactions that were allegedly large deposits of FTM from Multichain team members to Gate.io.

[] JUST IN:

There are rumors that the https://t.co/5YQLO0SsVt team has been arrested. The Multichain team has sent https://t.co/5YQLO0SsVt $10M USD in $FTM. Is this an ongoing larger-scale issue? ‍☠️ https://t.co/s29KYytChM pic.twitter.com/1XXbwGMoPs
— CoinSumption (@CoinSumption) May 31, 2023

Blockchain data confirms that more than $10 million of FTM was transferred from an unknown user to Gate.io on May 25-26. Cointelegraph was not able to determine the identity of the account owner performing the transaction.

After seeing multiple deposits of MULTI and Fantom to Gate.io, some Twitter users suspected that the exchange was exposed to fallout from Multichain.

The team at Gate.io has denied these rumors, stating that the exchange is processing all withdrawals and operating normally.