The Multichain hack could potentially be a “rug pull,” as an additional $103 million in funds were recently drained.
Multichain, which is described as a cross-chain bridge protocol, reportedly saw another $103 million transferred to other blockchain addresses. This, according to security company Beosin.
This past week, the bridge protocol, previously operating as Anyswap, was drained of around $125 million in one of the largest crypto-related hacks/security breaches.
Blockchain firm Chainalysis has indicated that the recent exploit was a “hack or rug pull by insiders,” with industry participants now confused.
Multichain has been locked since May of this year because of technical issues, with users currently unable to complete transfers. The major exploit/security breach is reportedly due to the project administrator’s keys being compromised (or there’s the possibility they could have been used by the administrator directly, which led security professionals and crypto analysts to conclude that it might be a sophisticated rug pull).
As widely reported, Multichain CEO Zhaojun has also gone missing, further contributing to the evidence.
It’s worth noting that in the crypto space, a rug pull is the term used to refer to a situation where blockchain developers secure capital in order to work on an initiative. However, they end up abandoning their so-called project and simply run off with investors’ money.
As explained in a detailed blog post by Chainalysis, on July 6, 2023, cross-chain bridge protocol Multichain had “experienced unusually large, unauthorized withdrawals in what appears to be a hack or rug pull by insiders, leaving many ecosystem participants perplexed.”
Multichain’s recent exploit, which “resulted in losses of more than $125 million, is one of the biggest crypto hacks on record.”
Cross-chain bridge protocols “have proven lucrative targets for hackers, largely due to their experimental designs and the fact that they generally have large, centralized repositories of assets bridged by users to other blockchains.”
However, Multichain has recently “experienced some notable issues unrelated to its protocol design, which have prompted public suspicions that this recent exploit may have been carried out by insiders.”
As widely reported, more than $125 million worth of cryptocurrency was “withdrawn from Multichain, with nearly $120 million of that total coming from Multichain’s Fantom bridge. Assets taken from the protocol include wrapped Ether (wETH), wrapped Bitcoin (wBTC), and USDC.”
Additionally, the attacker “withdrew $666,000 from the Dogecoin bridge — resulting in a loss of 85% of total deposits — and $6.8 million from the Moon River bridge, which included funds in USDC and Tether.”
Chainalysis concluded:
“Although cross-chain bridge exploits can be difficult to predict, there may be several methods to mitigate risk and prevent similar exploits from occurring. One way is through rigorous code audits to help developers standardize projects and investors evaluate protocol viability. While the Multichain hack appears to have been the result of keys being compromised rather than faulty code, reputable audit reports often explicitly identify which parts of protocols are controlled by external addresses and therefore vulnerable to private key theft, which may help users better assess risk. Additionally, users of any protocol are able to conduct research before they transact.”