Tens of millions of dollars withdrawn from Multichain on Fantom in possible exploit

Tens of millions of dollars of tokens have been withdrawn from the Multichain bridge on the Fantom network, with security firms speculating that it may be a security breach.

The tokens moved include $58 million of the stablecoin USDC, 1,020 wrapped bitcoin ($30.9 million), 7,200 wrapped ether ($13.7 million) and $4 million of the stablecoin DAI. It also included further tokens like Chainlink, Curve DAO, YFI, Wootrade Network and nearly a quarter of the total supply of UniDex.

Assets also appear to be moving on Multichain's Moonriver bridge, including $4.8 million of USDC and $1 million of USDT.

Dog-themed blockchain Dogechain has also seen a sudden movement of funds with at least $660,000 of USDC sent to the same destination wallet that was used in the movement of funds from Moonriver.

So far none of the funds have been transferred beyond the wallets they were initially moved to. They haven't been sold or transferred to a crypto mixing service.

Multichain has not made a statement in regards to the movement of funds. The Fantom Foundation said it was aware of "a situation unfolding on the Multichain bridge..

"We are actively evaluating the circumstances and will provide an update as soon as we have more to share," it wrote. 

Initial perspectives

Security firm PeckShield questioned whether this was related to cross-chain platform LayerZero adding support for four tokens, matching those that were moved. Yet this doesn't align with the complete list of tokens that were moved.

LayerZero CEO Bryan Pellegrino told The Block the issue was not related to the platform. 

"It's a multichain hack," he said in a message. "It's 100% not related to LayerZero."

Pellegrino suggested that it could be Multichain bridge users withdrawing their assets to bring them to LayerZero. Yet Wintermute Head of Research Igor Igamberdiev said this is likely to be someone who has control over the bridge because funds weren't burned on the Fantom side of it when the transactions took place.

Igamberdiev also noted that it was odd the wallet that received a large chunk of the USDC also made a transaction from the old Binance Smart Chain bridge a few hours earlier.

Previous bridging issues

The Multichain bridge is supported by multi-party computation involving 21 nodes with a combination of them required to sign transactions authorizing the movement of funds. Multichain has previously been exploited in 2021, when it was named Anyswap.

Multichain had multiple technical issues throughout May. The team also confirmed that it had lost contact with its CEO Zhaojun, amid rumors that he had been detained in China. The team has not since announced that he has returned to the fray.

Multichain and Fantom have not yet replied to a request for comment.

This article has been updated with a statement from the Fantom Foundation and additional context on the movement of funds from further blockchains.