Multichain, a bridging platform with $1B in total value locked, has transferred almost $80M in stablecoins and 300 Bitcoin in unusual moves that bear scrutiny, according to L2 Beat, a research project that analyzes the Layer 2 blockchain space.
Multichain transferred millions in user funds from escrow to provide liquidity elsewhere in its network, said L2 Beat, which is raising questions about the purpose of the transfers. The moves and L2’s scrutiny have not been reported before.
“That’s users’ money, so either this is agreed with users in this chain, or they broke a social contract with users,” Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant.
The vast majority of crypto lost to hacks this year was stolen from bridges, the technology that allows users to transfer digital assets between blockchains.
The reasons are clear: Bridges are complicated, giving attackers more avenues to exploit. Moreover, they provide a single point of failure: a smart contract holding user money in escrow while the “transferred” tokens — essentially IOUs – are used on the destination chain.
So the researchers at L2 Beat were surprised when they dug into Multichain and found an apparent threat from within.
While transfer of the tokens from escrow can be seen on-chain, where those tokens ultimately went is a mystery, according to Kiepuszewski.
L2 Beat says Multichain claimed the tokens were used to provide liquidity elsewhere on its network. But confirming the claims has been difficult.
Michael Lewellen, head of solutions at crypto security firm Open Zeppelin, said the practice is indeed problematic.
“If there is not a clear way to identify that the assets the bridge claims to back are not present somewhere that’s publicly verifiable, I would definitely state that as a specific concern for the bridge,” Lewellen told The Defiant.
L2’s allegations call into question the behavior and security practices at an organization responsible for more than $1B in user funds. Multichain bridges to dozens of blockchains and supports thousands of tokens. Confirming Multichain still has that crypto — that it hasn’t been stolen or gambled away in DeFi protocols — would be a herculean task.
Furthermore, the allegations might inject fresh doubt in bridge technology, which have suffered enormous damage at the hands of hackers this year.
Three of the five biggest hacks in crypto history occurred this year, and each one of them was a bridge hack, according to Rekt’s exploit leaderboard. More than $600M was taken from the Ronin Network. Almost $600M was taken from a Binance bridge. More than $300M was taken from the Wormhole bridge.
Multichain did not respond to multiple requests for comment submitted via the contact email address listed on its website.
The episode highlights the role L2 is playing in scrutinizing the blockchain scaling space. When lending protocol Maker was considering whether to expand to Layer 2 blockchains such as Optimism and Arbitrum, it needed to better understand how those blockchains worked.
The ensuing project eventually spun off from Maker and became L2 Beat — a website that lists myriad Layer 2 blockchains, the amount of money they hold, and the security assumptions they make.
This month, the project expanded with the launch of a dashboard for bridge protocols. Beside Multichain, the world’s second largest bridge protocol, the L2 Beat team appended a small yellow shield bearing an exclamation point, warning users of the suspected impropriety.
“Every single bridge works more or less the same way,” Kiepuszewski explained. “You send tokens to an address and [new] tokens would be minted by validators on the destination [blockchain]. If you want to go back, the reverse happens, so you burn tokens at the destination and validators should release tokens from that escrow address that you originally sent tokens to.”
Bridge protocols that cannot mint new tokens on a destination chain instead use the “liquidity network” method. Liquidity providers deposit tokens in liquidity pools on the destination chain. Those tokens are available to users who bridge to that blockchain, and they are returned to the pool when bridge users withdraw to their origin chain.
Multichain, which has bridges to dozens of blockchains, is a hybrid, according to L2 Beat. In some instances it mints tokens. In others, it uses liquidity pools.
Kiepuszewski said he reached out to Multichain and representatives told him the crypto has been used to supply liquidity pools across different chains.
“They claim that this is not in their opinion problematic, because the money still resides in the Multichain ecosystem, and users, in their opinion, should always be able to withdraw the amount they need,” Kiepuszewski said. But performing an audit “now becomes extremely complicated, because you have to analyze the whole Multichain ecosystem, right?”
Open Zeppelin’s Lewellen agreed. “Even for liquidity networks,” he said. “There’s at least a way to look at the different [liquidity provider] pools and different chains and identify that the overall assets issued by a bridge match up with some liquidity pool elsewhere.”
Lewellen and Kiepuszewski both said a dashboard showing the route their funds are taking would go a long way toward assuaging concerns about the movement of users’ crypto.
It also adds a new wrinkle when assessing whether Multichain is a safe place to park one’s money. Typically, an audit would confirm whether there are any software vulnerabilities. Now, users must also wonder whether Multichain itself can be trusted with their money, Kiepuszewski said.
Even if the funds are in safekeeping, accessing them in a timely manner might be difficult. And that presents its own problems, according to Lewellen, who pointed to the fact that there seems to be less Dai in Multichain’s Fantom bridge than there are Multichain-minted Dai tokens on Fantom.
More than $52M Dai bridged to Fantom, a Layer 1 blockchain, was allegedly removed from escrow by Multichain validators, according to L2 Beat.
Multichain maintains that the DAI on Fantom is adequately backed, although the reserves are spread across its ecosystem.
If Dai were to lose its peg to the US Dollar, and people with Dai on Fantom wanted to redeem that Dai for USD, they might lose a significant amount of money in the time it takes to locate and transfer the Dai that should have been in escrow, according to Lewellen.
“It’s not that this is going to happen today, but it could happen if these factors line up in a way that’s not very favorable for Multichain,” he said, “and I think that’s ultimately where the concern comes from. It’s just not having clarity around how Multichain is managing this risk.”