The team responsible for the cross-chain protocol has confirmed that assets on the MPC bridge were transferred to an undisclosed address, but they remain uncertain about what exactly transpired. Multichain, the cross-chain router protocol, appears to have fallen victim to an exploitation incident, resulting in losses exceeding $126 million at present.
On-chain data reveals that over $102 million worth of cryptocurrency was withdrawn from Multichain's Fantom bridge contract on Ethereum. The funds included $31 million in Wrapped Bitcoin (WBTC), $13.6 million in Wrapped Ether (WETH), and $58 million in USDC. As of now, the exploiter's wallet address contains more than $126 million.
The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.— Multichain (Previously Anyswap) (@MultichainOrg) July 6, 2023
The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals…
Expressing uncertainty about the situation, the Multichain team posted a tweet urging users to halt all utilization of its services and revoke contract approvals temporarily.
Blockchain security firm SlowMist commented on the incident, stating, "It appears that activity has ceased. However, given that multiple bridges have been drained, this seems more like a hack or rugpull and less like a migration."
SlowMist drew attention to the initial suspicious transaction, occurring at 4:21 pm UTC, where a mere $2 in USDC was withdrawn from the Multichain Fantom bridge. Two hours later, the hacker withdrew $31 million worth of WBTC, and an hour after that, they began to drain the Multichain Moonriver bridge and the Multichain Dogechain bridge.
Blockchain security firm Certik, which conducted two audits of Multichain's codebase without raising any critical concerns, stated, "This exploit seems to be the result of a compromise of private keys, which falls outside the scope of the audits we conducted."
In May, Unchained reported that Multichain had lost access to some of its servers due to a lack of communication with its CEO, Zhaojun. There is speculation that Zhaojun was arrested in China last month.