Multichain - R3KT

So the rumours were true.

At least according to Multichain.

Multichain’s CEO, Zhaojun, has been in custody in China since May 21st.

...and he held all the keys.

Now, all devices with access to Multichain’s MPC wallets are allegedly in the hands of the Chinese authorities, except a single computer belonging to Zhaojun’s sister (who is now also said to be in custody).

Looks like Multichain’s docs weren’t telling the truth:

The SMPC nodes are run by different organisations, institutions and individuals

Not to mention being a beyond-embarrassing OPSEC disaster, such an irresponsible level of centralisation has completely paralysed a major piece of DeFi infrastructure.

The Fantom ecosystem depended heavily on multiAssets (for non-native USDC, USDT, DAI, wETH and wBTC), all of which have since depegged as the situation worsened.

Multichain’s recent troubles have turned Fantom into a ghost town…

How did we get here?

The rumours began on May 23rd, when a delayed upgrade resulted in the loss of functionality on certain bridging routes.

Suspicions of an insider dumping tokens and an ambiguous translation of a chinese-language tweet led to panic that the entire TVL of Multichain may have been compromised.

But with no clarification from Multichain, who explained it away as “force majeure”, the panic quickly subsided as the bridges remained operational, with fixes being implemented on the remaining routes.

However, as described in today’s statement:

Zhaojun's family only allowed Multichain team engineers physical access to the home computer to fix technical issues with Router2 and Router5.

But access was never handed over to other team members, who were told that:

Zhaojun would be released soon and [were] asked to continue maintaining the system and await further updates.

But then came the 9-figure wake-up call.

And then another, a few days later.

Something was clearly very wrong.

The two withdrawals of $126M on the 6th (~$65M since frozen) and $103M on the 10th of July were, if the team is to be believed, first a hack (“from an IP address in Kunming”) and then a rescue operation.

However, with the depegging of Fantom-based assets (down 80-90%), the $103M is worth just $69M at the time of writing.

Another wallet also containing funds claimed to have been rescued by Zhaojun’s sister holds approx $75M.

Today’s bombshell breaks the radio silence maintained by the team since July 7th, when the previous incident was left unexplained.

Or perhaps the whole thing is a fantasy, and Multichain is just another rug, albeit with more of a penchant for storytelling than the industry standard.

Either way, Multichain is again urging users not to interact with the contracts, and hoping that the front end will be taken down, as they don’t have access to the domain account, either.

The fallout from this catastrophe has mostly affected one chain, Fantom, and its users who had been reassured by the Fantom Foundation itself.

In an attempt to avoid an FTM-exodus amongst the rumours, the Foundation reassured users with the following on June 1st:

Fantom uses the regular bridge and router 1. Multichain’s CEO does not have admin control over either.

His absence has no impact on Fantom's assets and bridging. They are just as safe as they were before.

However, they must have known something was wrong, as partnerships with LayerZero (who are now doing victory laps) and Axelar went live on July 6th, the very same day that $126M went missing from Multichain.

If the Fantom Foundation had enough doubts to whip up bridging partnerships with two providers, why would they risk going to bat for Multichain like that?

And if they knew something was wrong, why did they blatantly throw their own users under the bus?

It seems unthinkable that an entire ecosystem would trust their bridging infra to a single provider, especially after being hacked two years before and no viable alternative set up.

The real victims here are Fantom users, following a fallen idol onto a chain with no escape route, whilst being assured all would be fine…

Geist, Fantom’s Aave fork, has already announced it will be shutting down, as it uses Chainlink feeds on native feeds, which don’t reflect the depegged multiTokens.

How many more projects will haunt the ghost chain by the time the dust settles?

While Multichain’s off-chain security set-up is unforgivable, it’s hard to believe that the project underwent eight audits, none of which covered the security practices behind the contract code.

It may not be within the scope of a typical audit but, as Mikko Ohtamaa points out:

If security research teams think they are gods that are "very busy" and should be fed massive amounts of dollars for the shit they produce, then they deserve to be called out as snakeoil sellers, not security sellers.

As a community we must demand a more holistic approach from auditors, a Solidity checklist is not enough, and they know it.

But when test-in-prod-from-idolised-devs era still has its followers, it pays to take shortcuts.

As we have said before:

Put your faith in idols and you will get rekt.

Yearn (and again), CREAM (and again), Anyswap (renamed to Multichain), and many more have all made it to the leaderboard.

And now Fantom looks to be rekt by proxy…

Coincidence or the Cronje Curse?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.