Multichain Bridge Hacked Again! Is Your Favorite Bridge Next?

By Michael @ CryptoEQ | CryptoEQ | 10 Jul 2023

You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

67cbbf4723857b85c151585aa280e6d940346c501cef75bafd7dea02b44b24c9.png

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

  • Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
  • Early access to future CORE ratings: Being early is sometimes just as important as being right!
  • Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
  • CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

The Hack

In a significant security breach, cross-chain router protocol Multichain was exploited, resulting in a loss of nearly $130 million. The incident, which involved the unauthorized transfer of assets from several token bridges to an unknown address, underscores the critical importance of robust security measures in the management of cross-chain protocols.

Multichain announced the security breach on Twitter, stating, "The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally." The team admitted uncertainty about the cause of the incident and recommended that all users suspend the use of Multichain services and revoke all contract approvals related to Multichain. The exploit resulted in the near-total depletion of Multichain's Fantom bridge holdings, which included wBTC, USDC, USDT, and several altcoins. The combined value of these assets exceeded $130 million. 

This incident serves as a stark reminder of the potential vulnerabilities inherent in cross-chain protocols. As the cryptocurrency landscape continues to evolve, it is crucial that developers prioritize security to protect users and maintain the integrity of their platforms. The Multichain exploit underscores the need for ongoing vigilance, rigorous testing, and robust security measures in the management of cross-chain protocols.

Multichain

Multichain has two mechanisms to bridge assets: cross-chain bridges and routers. Cross-chain bridges first lock tokens in a secure multi-party computation (SMPC) address, then a smart contract mints the equivalent amount of wrapped assets on the destination chain into the user's wallet (lock-and-mint method, discussed below). Withdrawing assets is the exact opposite: burn the wrapped assets, and then the SMPC address releases the native tokens back to the user on the original chain. Importantly, no humans are involved in this process.

MPCs

Multi-party computation (MPC) is a solution for securing data among several participants in a private manner. It allows many parties, each with their own private data, to verify the final computation without revealing their own secret portion of the data. Each participant in an MPC possesses a piece of confidential information. Typically, one entity owns one part of a cryptographic key that can move funds or change code.

MPCs shard a private key into many segments, with each individual possessing a portion of the private key. When signing a transaction, a subset of MPC nodes must independently sign the transaction and communicate it to the larger group. In order to sign transactions, each participant inputs their secret portion and a public input (the message to be signed) to generate a digital signature. Then, anyone with access to the public key should be able to validate and verify the signatures. Since the key shares are pooled and the signature is generated off-chain, an MPC wallet transaction cannot be distinguished from a typical private key wallet.

An infographic showing multi-party computation wallets. An infographic showing multi-party computation wallets.

Even if a bridging protocol has a limited quantity of relayer nodes, the relayers can be chosen at random from the pool of candidates to create the multi-party computing (MPC) group. To authorize a cross-chain transaction, the protocol can require a minimum number of relayers to come together and sign the message before any action can be taken. The greater the threshold of an MPC group, the less likely it is that relayer groups will collude.

Multichain utilizes this key architecture to secure its LaM bridge. The decentralized SMPC node network runs the distributed signature algorithm, albeit just 21 of them. This process means Multichain is a de facto multi-party custody system with federated validators. Each of these 21 nodes independently verifies the source chain’s status and reaches a consensus together using the threshold-distributed signature algorithm on the verification results. No complete private key is shared at any point in the bridging process because nodes don't share their private keys with each other. All nodes can not reach a consensus unless each node singularly agrees. As a result, Multichain’s SMPC network guarantees correct results and can provide fast finality.

Critical Bridge Design Differences

External vs. Native Verification

Blockchain bridges, a critical technology in the cryptocurrency world, have been under scrutiny due to concerns about their stability and security. These bridges, which facilitate the transfer of tokens between different blockchains, have seen a surge in popularity, but recent incidents have exposed their vulnerabilities, prompting a reevaluation of their design and implementation.

The Lock-and-Mint model of blockchain bridges has been particularly popular due to its simplicity, cost-effectiveness, and lack of liquidity requirements. However, this model relies on a set of external verifiers, making it susceptible to attacks. This vulnerability was starkly highlighted in the Ronin Network and Wormhole hacks, where flaws in the system were exploited, resulting in losses exceeding $2 billion.

7369a14a755b0a52bb9cd8053eb465d3870f426e401a5102cb00ef2386c27f05.png

Source: Xangle

In response to these security breaches, the cryptocurrency community is shifting its focus towards native verification of cross-chain transactions. This approach requires each blockchain to develop custom validators that operate within the consensus mechanism of the other chain, eliminating the need for external verifiers. By doing so, it could prevent the kind of exploits that Lock-and-Mint bridges have experienced.

Two notable examples of this approach are Near's Rainbow Bridge and Cosmos's Inter-Blockchain Communication (IBC) protocol. The Cosmos IBC, in particular, has connected 53 independent blockchains to its ecosystem, enhancing customization and interoperability. Efforts are also underway to bring the Cosmos IBC to Ethereum.

However, the widespread adoption of native verification faces two significant hurdles. First, the user base of Near and Cosmos, which currently employ native verification, is smaller than that of Ethereum. Second, the cost of implementing native verification is high, and it slows down transaction speeds.

Despite these challenges, the shift towards native verification is a promising development in the quest for more secure and stable blockchain bridges. As the cryptocurrency community continues to innovate and refine this technology, we can expect to see further improvements in the security and efficiency of cross-chain transactions.

Ethereum (ETH) Crypto News DeFi Fantom (FTM) Ethereum Bridge

How do you rate this article?

96
Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Fed's Hawkish Stance & Bitcoin Slipping Below $65K: Is This the Ultimate Capitulation or a Deeper Dip? Fed's Hawkish Stance & Bitcoin Slipping Below $65K: Is This the Ultimate Capitulation or a Deeper Dip?
Technology Era

Technology Era

8 hours ago
5 minute read

Why Every Human Already Exists In UNFOLD Why Every Human Already Exists In UNFOLD
Chriss Gkesios

Chriss Gkesios

17 Jun 2026
4 minute read

FanForce Spotlights: Video Rebirth & Premium Commercials FanForce Spotlights: Video Rebirth & Premium Commercials
PVM

PVM

17 Jun 2026
2 minute read