Multichain (MULTI), a cross-chain protocol, has halted its services today due to the detection of abnormal fund movements from its MPC address. Blockchain security firm Peckshield reported that Multichain fell victim to an exploit, resulting in a loss of $126 million. The attacker managed to transfer funds from Multichain’s Fantom (FTM) and Moonriver (MOVR) bridge.
In response to the incident, Multichain has advised its users to revoke all approvals associated with the protocol. The Fantom Foundation stated that they are currently evaluating the situation and will provide an update once they have more information to share. Although Multichain has not disclosed the specifics of the exploit, initial reactions from the community suggest a potential compromise of the protocol’s private key. CertiK, the smart contract auditor for Multichain, linked the attack to a compromise of the private key, noting that this was beyond the scope of their previous audit. On-chain investigator Loki Zeng supported this perspective, mentioning that the asset transfer occurred over an extended period and speculating that the attacker might have gained complete control over the protocol’s private key fragments that exceeded the threshold.
Web3 Knowledge Graph Protocol 0xScope revealed that the impact of the exploit extends to other chains such as Kava, Dogechain, Conflux, and ETHW. The firm also noted that multiple stablecoin assets across these chains have lost their peg. Additionally, Daniele Sestagalli from the ICE crypto project announced that the team has decided to burn $1.85 million worth of ICE tokens affected by the exploit. The burned tokens will be airdropped to Fantom Multichain users as a new token called WAGMI.
Following the attack, Multichain’s MULTI token experienced a significant decline of over 16%, reaching $2.60 at the time of writing, according to data from CryptoSlate. This exploit has compounded the protocol’s existing issues, as it has encountered several challenges recently. In May, the Multichain team lost contact with CEO Zhao Jun amidst rumors of his arrest in China. Coincidentally, the protocol also experienced a failed upgrade of its cross-chain bridge during the same period, with the team attributing the unavailable routes to a “force majeure” situation. Adding to the protocol’s recent troubles, Binance has suspended support for eight bridged tokens from the Multichain cross-chain protocol until further notice.