{"id":8530,"date":"2023-08-06T11:27:00","date_gmt":"2023-08-06T11:27:00","guid":{"rendered":"https:\/\/www.trustrecipe.in\/?p=8530"},"modified":"2023-09-27T08:02:13","modified_gmt":"2023-09-27T08:02:13","slug":"multichain-security-breach-july-7-2023-detailed-analysis","status":"publish","type":"post","link":"https:\/\/immunebytes.com\/blog\/multichain-security-breach-july-7-2023-detailed-analysis\/","title":{"rendered":"Multichain Security Breach &#8211; July 7, 2023 &#8211; Detailed Analysis"},"content":{"rendered":"\n<p>The DeFi sector faced a major setback with a security breach in Multichain, previously known as Anyswap. <\/p>\n\n\n\n<p>On July 7, 2023, the hackers illicitly transferred vast sums from several token bridges, totaling approximately $126 million across chains like Fantom, Moonriver, and Dogecoin.<\/p>\n\n\n\n<p>This incident, which ranks as the 14th largest crypto theft in history, not only underlined vulnerabilities in Multichain but also destabilized other ecosystems reliant on it. <\/p>\n\n\n\n<p>The repercussions were felt with the de-pegging of stablecoins and affected ecosystems, even as investigations continue and the community hopes for asset recovery through potential negotiations with the hacker.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Introduction<\/h3>\n\n\n\n<p>The DeFi sector has been rocked by a considerable security breach involving Multichain, a prominent cross-chain protocol formerly known as Anyswap. <\/p>\n\n\n\n<p>A staggering sum of ~$126M was unlawfully siphoned from multiple token bridges, raising serious questions about cross-chain transaction security. <\/p>\n\n\n\n<p>Some suspect it to be a rug pull, while some are of the opinion that the Lazarus group of North Korean hackers can be behind the hack.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Timeline and Details of the Breach<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Early Indications &amp; Team&#8217;s Response:<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Anomalies in Multichain&#8217;s contracts were the primary indicators of the exploit. Approximately $130 million in assets were shifted to an unknown account.<\/li><li>On <strong>July 7th<\/strong>, hackers targeted Multichain, resulting in a theft of $126 million across chains like Fantom, Moonriver, and Dogecoin. This theft represented roughly 9% of the Total Value Locked (TVL) before the breach, making it the 14th largest theft in crypto history.<\/li><\/ul>\n\n\n\n<p><strong>Timeline<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>4:21 PM UTC: First Suspicious transaction detected. Txn: https:\/\/bit.ly\/3O5vBzL<\/li><li>6:33 PM UTC: ~30M WBTC and assets withdrawn from MultiChain bridge. Txn: https:\/\/bit.ly\/3D2q9an<\/li><li>7:35 PM UTC: LayerZero confirms no direct involvement in the hack.<\/li><li>7:46 PM UTC: MultiChain Moonriver bridge starts draining. Txn: https:\/\/t.ly\/L-Zq<\/li><li>8:05 PM UTC: MultiChain Dogechain bridge targeted, assets drained. Txn:https:\/\/t.ly\/Ma8e<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Breakdown of Stolen Assets<\/h3>\n\n\n\n<p>The Fantom Bridge suffered the most, with losses totaling $122 million. <\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-regular\"><div class=\"pcrstb-wrap\"><table><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>Stolen Asset<\/strong><\/td><td><strong>Current Valuation<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">57.8 million USDC<\/td><td>$57.8M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">1.024k WBTC<\/td><td>$26.7M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">7.214k WETH<\/td><td>$11.9M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">4.178 million DAI<\/td><td>$4.1M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">491.657k LINK<\/td><td>$2.93M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">910.654k UNIDX<\/td><td>$1.8M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">1.493 million USDT<\/td><td>$1.5M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">9.674 million WOO<\/td><td>$1.76M<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">1.297 million ICE<\/td><td>$869K<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">1.362 million CRV<\/td><td>$611K<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">134.48 TFI<\/td><td>$3<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">502.4k TUSD<\/td><td>$502.4K<\/td><\/tr><\/tbody><\/table><\/div><\/figure>\n\n\n\n<p>Other bridges hit were Multichain&#8217;s Moonriver and Dogecoin contracts. The total assets stolen from Multichain Bridge amounted to $126.3 million.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Addresses Linked to the Breach<\/h3>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<ul class=\"wp-block-list\"><li>0x9d5765ae1c95c21d4cc3b1d5bba71bad3b012b68 \u00e2\u20ac\u201d ($16.7M including DAI, LINK, USDT, and CRV)<\/li><li>0xefeef8e968a0db92781ac7b3b7c821909ef10c88 \u00e2\u20ac\u201d $30.1M in USDC<\/li><li>0x418ed2554c010a0c63024d1da3a93b4dc26e5bb7 \u00e2\u20ac\u201d $13.4M in wETH<\/li><li>0x622e5f32e9ed5318d3a05ee2932fd3e118347ba0 \u00e2\u20ac\u201d $30.9M in wBTC<\/li><li>0x48bead89e696ee93b04913cb0006f35adb844537 \u00e2\u20ac\u201d $7.5M in USDC, USDT, DAI, and wBTC from Moonriver<\/li><li>0x027f1571aca57354223276722dc7b572a5b05cd8 \u00e2\u20ac\u201d $27.7M in USDC<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-style-default\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"481\" src=\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-1024x481.png\" alt=\"\" class=\"wp-image-8531\" srcset=\"https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-1024x481.png 1024w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-300x141.png 300w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-768x361.png 768w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-1536x722.png 1536w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-1170x550.png 1170w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023-585x275.png 585w, https:\/\/immunebytes.com\/blog\/wp-content\/uploads\/2023\/08\/multichain-hack-July-7-2023.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">The Aftermath of the Exploit<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>On July 14th, an update was provided. The CEO, Zhaojun, was detained by Chinese authorities, leading to loss of access to vital operational servers and funds. Subsequent issues, including Zhaojun&#8217;s sister&#8217;s detainment, compounded the crisis.<\/li><li>The team has since urged users not to use the Multichain service and to amplify this message.<\/li><\/ul>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">The Impact on Other Ecosystems<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Direct and Ripple Effects<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Stablecoins on Fantom, Moonriver, and Dogechain have suffered severe de-pegging. On Fantom: fUSDC is now at $0.56, fUSDT at $0.39, and fDAI at $0.38.<\/li><li>Kava, Conflux, and ETHW, though not directly affected by the hack, are facing stability issues due to reliance on cross-chain assets issued by Multichain.<\/li><li>Many DEFI whales on Fantom are converting their assets into FTM and depositing them into exchanges, exacerbating the de-pegging of stablecoins on Fantom.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Historical Perspective<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Multichain, previously Anyswap, has suffered multiple attacks in the past. An approval-draining attack in 2022 led to a loss of $3 million. This recent exploit is among the most severe attacks of July 2023.<\/li><li>The massive thefts from Ronin Network in 2022 and Poly Network in 2021 underscore the risks associated with the cross-chain bridges. It&#8217;s also worth noting the North Korean group Lazarus have been allegedly involved in several attacks,<\/li><li>While Multichain once declared itself a \u00e2\u20ac\u0153leader in terms of security,\u00e2\u20ac\u009d it now stands as a testament to the unpredictable and high-risk nature of the cryptocurrency industry.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Investigation &amp; Current Status<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>The suspected cause of the breach is a loss of control over the MPC address by the Multichain team. As of now, there&#8217;s no definitive explanation.<\/li><li>Circle, the issuer of USDC, froze $63 million linked to the breach.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Positive Aspects &amp; Future Prospects<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Assets worth 63.2 million USDC and 2.53 million USDT have been frozen by Circle and Tether within 24 hours of the incident.<\/li><li>The stationary nature of the stolen funds suggests potential negotiations with the hacker, possibly allowing for some asset recovery.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Precautionary Measures<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Users should verify the status of cross-chain bridges through official channels and project explorers before initiating transactions.<\/li><li>Approve only intended transfer amounts and ensure investments remain within an acceptable loss range.<\/li><li>In case of future breaches, revoke contract authorizations swiftly and liaise with project teams.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>The Multichain breach highlights the inherent vulnerabilities of cross-chain bridges in the evolving cryptocurrency landscape. <br><br>While they play a crucial role in ensuring interoperability, their increasing susceptibility to attacks underscores the urgent need for enhanced security, <a href=\"https:\/\/immunebytes.com\/blog\/smart-contract-audit\/\" title=\"\">regular audits<\/a>, and overall transparency in design and operation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The DeFi sector faced a major setback with a security breach in Multichain, previously known as Anyswap. On July 7,&hellip;<\/p>\n","protected":false},"author":2,"featured_media":8546,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[6,679],"tags":[],"class_list":["post-8530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-crypto-hacks-exploits","category-web3-security"],"_links":{"self":[{"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/posts\/8530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/comments?post=8530"}],"version-history":[{"count":2,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/posts\/8530\/revisions"}],"predecessor-version":[{"id":8788,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/posts\/8530\/revisions\/8788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/media\/8546"}],"wp:attachment":[{"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/media?parent=8530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/categories?post=8530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/immunebytes.com\/blog\/wp-json\/wp\/v2\/tags?post=8530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}