Cross-chain router protocol Multichain appears to have been exploited, with losses exceeding $126 million at the time of writing.
— PeckShieldAlert (@PeckShieldAlert) July 6, 2023
On-chain data shows that more than $102 million worth of crypto was withdrawn from Multichain’s Fantom bridge contract on Ethereum. This included $31 million in Wrapped Bitcoin (WBTC), $13.6 million in Wrapped Ether (WETH) and $58 million in USDC. The exploiter’s wallet address held over $126 million at the time of writing.
The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.
The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals…
— Multichain (Previously Anyswap) (@MultichainOrg) July 6, 2023
The Multichain team tweeted that they were unsure of what had happened, urging users to suspend all use of its services and revoke contract approvals for the time being.
“It appears that activity has stopped. However, with multiple bridges all being drained, this looks more like a hack or rugpull and less like a migration,” said blockchain security firm SlowMist.
SlowMist highlighted the first suspicious transaction which took place at 4:21 pm UTC, where just $2 in USDC was withdrawn from the Multichain Fantom bridge. Two hours later, the hacker drained $31 million WBTC, and an hour later began to subsequently drain the Multichain Moonriver bridge and the Multichain Dogechain bridge.
“This exploit appears to be the result of a private key compromise, and as such falls outside the scope of the audits we conducted,” said blockchain security firm Certik, which audited Multichain twice and did not raise any critical issues with its codebase.
In May, Unchained reported that Multichain had lost access to some of its servers because the team had lost contact with its CEO Zhaojun. Many believe that Zhaojun was arrested in China last month.