In July 2023, the crypto world was rocked by the Multichain hack, which resulted in the loss of an estimated $126 million in various tokens, including DAI, Link, USDC, WBTC, and wETH. This incident served as a stark reminder of the pressing need for robust security measures in the Web3 ecosystem. The hack, which impacted multiple bridges, raised questions about the safety of cross-chain protocols and the vulnerabilities inherent in centralized control structures. This deep-dive delves into the details of the Multichain hack, explores possible causes, and highlights lessons learned for bolstering Web3 security.
The Multichain Hack: A Mystery Unraveled
The hack occurred on July 6, 2023, when an unknown attacker successfully withdrew more than $125 million in various tokens from Multichain bridges. The impacted tokens included DAI, Link, USDC, WBTC, and wETH. The attack was one of the largest crypto hacks on record, leaving many participants perplexed and concerned.
Following the attack, Multichain promptly advised its users to cease using the service and revoke any existing approvals. The company labeled the transfers as “unauthorized,” indicating that malicious actors had exploited a vulnerability in the system. However, the exact method used to execute the hack remained unclear, leaving the crypto community puzzled.
Speculations
As the investigation into the Multichain hack unfolded, various theories emerged regarding its cause. One leading theory pointed to a potential compromise of the private keys used to approve transactions traveling over the bridge. If true, this highlights the critical importance of securing private keys, as they serve as the gatekeepers to users’ funds.
Another concerning aspect that surfaced during the investigation was the issue of centralization of power within the organization. The absence of Multichain’s CEO, who went missing a month prior to the hack, raised questions about the risks associated with centralizing control in a single individual. A decentralized approach to governance could potentially reduce such risks and create a more resilient ecosystem.
Inside the Attack:
While the exact cause of the hack remains unknown, one theory suggests that the attacker compromised the private keys used to approve transactions across the bridges. This hypothesis is supported by the fact that multiple bridges were affected, and there were no apparent vulnerabilities discovered during the smart contract audits.
Suspicion of an Inside Job:
The hack raised suspicions of being an inside job or rug pull, as the Multichain protocol had been facing various issues prior to the attack. The CEO, known by the alias Zhaojun, had gone missing earlier, leading to speculation about his alleged arrest in China and the confiscation of significant funds from the protocol’s smart contracts. Such incidents point to potential security risks associated with centralization of power within a single individual.
Aftermath and Multichain’s Response:
Following the hack, the Multichain team announced on Twitter that the company would cease operations due to their inability to access the platform and the suspicious activities surrounding the incident. The team was unable to contact the arrested CEO and lost access to the platform’s MPC keys, leading to limited operational capacity. Consequently, the company’s MULTI token experienced a decline of approximately 12%.
Lessons Learned: Enhancing Web3 Security
While the Multichain hack appears to have been the result of keys being compromised rather than faulty code, reputable audit reports often explicitly identify which parts of protocols are controlled by external addresses and therefore vulnerable to private key theft, which may help users better assess risk. Additionally, users of any protocol are able to conduct research before they transact.
Additionally, the incident emphasizes prioritizing decentralization, ensuring that no single point of failure exists within the ecosystem. Distributed control and decision-making can significantly reduce the impact of potential security breaches.
Circle and Tether Blacklist Over $67M of Stolen Funds
Stablecoin issuers Tether and Circle have blacklisted five addresses that received part of the $126 million stolen funds. These firms froze $67.5 million worth of USDC and USDT, representing about 50% of the stolen funds from the cross-chain protocol.
Blockchain security firm Peckshield reported that Circle blacklisted three addresses receiving outflow funds from Multichain. The three addresses, 0x027F1, 0xefEeF, and 0x48BeA, held $65 million in USDC.
Key Learnings
The Multichain hack of July 2023 was a stark reminder of the constant threat that the Web3 ecosystem faces from malicious actors. The incident underscored the urgency for comprehensive security measures, including smart contract auditing, decentralization of power, and collaboration with professional security firms.
As the Web3 landscape continues to evolve, the industry must remain vigilant and proactive in addressing security challenges. By learning from past incidents like the Multichain hack and implementing the lessons gained, the community can build a more secure, trustworthy, and resilient future for decentralized finance and blockchain technology.