Multichain Protocol secretly restarts to another $1 million exploit
protos.com 03 November 2023 11:44, UTC
On November 1, the Multichain Protocol resumed operations for the first time in nearly four months. Validators confirmed its first transactions since a June 2023 exploit that drained a stunning $120 million and shuttered the entire project. Tragically, users immediately suffered another $1 million exploit.
In the initial days after the June hack, some Multichain believers considered the possibility that administrators had removed stablecoins and other liquidity pools to protect the protocol. Naturally, investigators doubted that protocol administrators would drain liquidity from cross-blockchain bridges to safeguard user funds.
Eventually, administrators admitted the breach. Yes, someone had stolen the funds.
Unfortunately, thieves continue to steal from Multichain users. When Multichain Protocol resumed this week, near-riskless arbitrage opportunities lasted for hours. Someone extracted $1 million in a simple cross-chain arbitrage trade that emerged from Multichain’s restoration of service.
Despite four months to prepare for a relaunch, developers clearly didn’t sufficiently test the protocol to protect regular users.
A few minutes after the $1 million theft, the protocol ceased operating yet again.
Multichain Protocol’s secretive relaunch
Formerly known as Anyswap, Multichain’s block explorer showed transactions clearing from a long queue earlier this week. Some users have indicated that their transactions were still pending. For example, one Bitcoin-to-Polygon transaction failed.
Everyone wondered why the protocol never provided advance notice.
Yesterday, security researchers at Cyvers Alerts clarified that most four-month-old transactions remain queued. Recent transactions seemed to gain priority.
Many users were understandably wary of the unannounced protocol restart. Multichain’s X account said nothing about the relaunch. Prior to resuming operations, Multichain had last published to X only as recently as October 5.
For context, Multichain’s former CEO and co-founder, known only as Zhaojun, vanished in May 2023 amid claims that Chinese authorities had arrested him. Chinese authorities also arrested several Multichain developers and Zhaojun’s sister. Authorities confiscated computers, hardware wallets, mnemonic phrases, and a multi-party computation wallet critical to Multichain’s operations. Multichain later admitted the incident.
1. On May 21, 2023, Multichain CEO Zhaojun was taken away by the Chinese police from his home and has been out of contact with the global Multichain team ever since. The team contacted the MPC node operators and learned that their operational access keys to MPC node servers had…
— Multichain (Previously Anyswap) (@MultichainOrg) July 14, 2023
Multichain finally admits in July what users had suspected since May.
Circle blacklisted three addresses that received USDC from the hack. Binance Smart Chain paused deposits from some compromised Multichain wallets. Although helpful, these actions were not enough to save users from massive losses.
Relaunched into another $1 million exploit
It remains unclear who relaunched the protocol this week, who stole the liquidity, and who re-stopped operations after the $1 million theft.
Obvioiusly, someone with private keys to the multi-party computation contracts restarted it. Zhaojun was supposedly the only person who could have accessed those contracts, but perhaps he shared (or lost) keys subsequent to his May arrest by Chinese authorities.
Browser extensions like MetaMask still publish a warning about the June exploit to users connecting to the Multichain Protocol. MetaMask advises using caution when connecting to its front-end website or protocol.
In summary, someone temporarily restored Multichain Protocol’s functionality, allowing a million-dollar arbitrage trade to clear. This allowed some recent transactions to go through and would make sense if somebody has access to the core protocol’s multi-party computation wallet.
Multichain Protocol did not alert users about the relaunch, and has said little about it on its official social media accounts. Its latest post to X is from October 5.