Analysis of Multichain Hack: A Mysterious Theft Case? Involving Approximately $126 Million in Funds

According to Beosin EagleEye, a security risk monitoring, warning, and blocking platform under blockchain security audit company Beosin, Multichain, a cross-chain bridge project, was attacked on July 6, involving approximately $126 million in funds.

Multichain was formerly known as Anyswap. Public information shows that Anyswap was founded in July 2020 and was initially positioned as a cross-chain DEX. However, based on the development of the project, Anyswap has gradually shifted its focus to asset cross-chain and weakened the trading function of DEX.

This is not the first time that Multichain has been attacked. This cross-chain project has been coveted by hackers several times before, but this attack is shrouded in mystery. According to the analysis of on-chain transaction details and transaction logs, the stolen coins in this attack did not come from contract vulnerabilities, but were full of layers of mysteries.

Basic situation of the event

Starting at 14:21 UTC on July 6, the “hacker” began attacking the Multichain bridge and calmly transferred about $126 million in assets from Multichain: Fantom Bridge (EOA) and Multichain: Moonriver Bridge (EOA) to the following six addresses for sedimentation within three and a half hours:







According to Beosin KYT/AML tracking, the flow of stolen funds and the time relationship are shown in the following figure:

According to on-chain records, the initial suspicious transaction 0xde3eed5656263b85d43a89f1d2f6af8fde0d93e49f4642053164d773507323f8 was followed by a large amount of asset transfers, including the transfer of 4,177,590 DAI, 491,656 LINK, 910,654 UNIDX, 1,492,821 USDT, 9,674,426 WOO, 1,296,990 ICE, 1,361,885 CRV, 134 YFI, 502,400 TUSD from Multichain’s Fantom bridge to the suspicious address 0x9d57***2b68; transfer of 27,653,473 USDC to the suspicious address 0x027f***5cd8; transfer of 30,138,618 USDC to the suspicious address 0xefee***0c88; transfer of 1,023 WBTC to the suspicious address 0x622e***7ba0; transfer of 7,214 WETH to the suspicious address 0x418e***5bb7.

And transferred 4,830,466 USDC, 1,042,195 USDT, 780,080 DAI, and 6 WBTC from Multichain’s Moonriver bridge to the suspicious address 0x48Be***4537. In addition, 666,470 USDC was transferred from the suspected Multichain Dogechain bridge address 0x55F0***4088 to the suspicious address 0x48Be***4537.

Second, some suspicious parts of this security incident

According to the analysis of on-chain transaction details and transaction logs, the stolen coins in this theft did not come from contract vulnerabilities, but from account addresses, and the stolen behavior was only the most basic on-chain transfer.

Among the multiple stolen transactions, there is no common feature found, the only common point is that all transfers were made to blank addresses (there were no transactions or handling fees before the transfer), and the time interval between each transaction varied from a few minutes to more than ten minutes. The shortest time interval for transfers to the same address was one minute, which can roughly rule out that the ‘hackers’ stole coins in batches through script or program vulnerabilities.

When transferring to different addresses, the time interval is also relatively long. It is suspected that the hacker may have created the addresses temporarily when stealing coins and backed up information such as the private key. There are a total of six suspicious addresses, and 13 types of stolen coins. It is not ruled out that multiple people were involved in the entire incident.

Third, speculation on the hacker’s theft method

For the various behaviors mentioned above, we speculate that the hacker stole coins through the following methods:

1. Penetrated the background of Multichain, obtained the entire project’s permission, and transferred funds through the background to their own newly created account.

2. Through hacking the project party’s equipment, the hacker obtained the private key of the address and directly transferred funds through the private key.

3. Multichain internal operation, transferring funds and making profits through the excuse of hacker attacks. After being attacked by hackers, Multichain did not immediately transfer the remaining assets of the address, and announced the cessation of service more than ten hours later. The project party’s response speed was too slow. The hacker’s transfer behavior was also very casual, not only with large transfers, but also with small transfers of 2 USDT. The entire time span was large, and the possibility of the hacker having the private key was extremely high.

Fourth, what are the security issues facing cross-chain protocols?

Concerns about the security of cross-chain bridges were once again raised following the recent hacking of the Poly Network cross-chain bridge project, in which hackers used forged credentials to withdraw funds from cross-chain bridge contracts on multiple chains.

According to research by Beosin Security Team, cross-chain bridges face the following security challenges:

Incomplete cross-chain message verification.

When checking cross-chain data, cross-chain protocols should include contract addresses, user addresses, amounts, chain IDs, and more. For example, in the pNetwork security incident, failure to verify the contract address of an event record allowed the attacker to forge a Redeem event to withdraw funds, resulting in a total loss of approximately $13 million.

Disclosure of validator private keys.

Currently, most cross-chain bridges still rely on validators to execute cross-chain transactions. If the private key is lost, it could threaten the assets of the entire protocol. For example, the Ronin sidechain lost $600 million due to the fact that four validators and one third-party validator of Ronin were controlled by attackers using social engineering to withdraw protocol assets at will.

Signature data reuse.

This mainly refers to the reuse of withdrawal credentials to withdraw funds multiple times. For example, in the Gnosis Omni Bridge security incident, the hard-coded Chain ID allowed hackers to use the same withdrawal credentials to withdraw the corresponding locked funds on the forked ETH chain and the ETHW chain, resulting in a total loss of approximately $66 million.

Therefore, we also recommend that cross-chain project teams pay attention to security risks and conduct security audits.

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.


Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Digital Asset Investment
Real world, Metaverse and Network.
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.