L2 Beat Raises Questions About Multichain’s Management of Millions in User Funds – The
The vast majority of crypto lost to hacks this year was stolen from bridges, the technology that allows users to transfer digital assets between blockchains.
The reasons are clear: Bridges are complicated, giving attackers more avenues to exploit.
Moreover, they provide a single point of failure: a smart contract holding user money in escrow while the “transferred” tokens — essentially IOUs – are used on the destination chain.
So the researchers at L2 Beat were surprised when they dug into Multichain, a bridging platform with $1B in total value locked, and found an apparent threat from within.
In an unusual move, Multichain transferred millions in user funds from escrow to provide liquidity elsewhere in its network, according to L2 Beat, a research project that analyzes the Layer 2 blockchain space.
“That’s users’ money, so either this is agreed with users in this chain, or they broke a social contract with users,” Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant.
While transfer of the tokens from escrow can be seen on-chain, where those tokens ultimately went is a mystery, according to Kiepuszewski.
Multichain claims the tokens were used to provide liquidity elsewhere on its network, but the size of that network means that confirming the claims is exceedingly difficult for a small team like L2 Beat.
What is Bridging?
A Step-by-Step Guide to One of the Most Important Features in DeFi
Michael Lewellen, head of solutions at crypto security firm Open Zeppelin, said the practice is indeed problematic.
“If there is not a clear way to identify that the assets the bridge claims to back are not present somewhere that’s publicly verifiable, I would definitely state that as a specific concern for the bridge,” Lewellen told The Defiant.
L2’s allegations call into question the behavior and security practices at an organization responsible for more than $1B in user funds. Multichain bridges to dozens of blockchains and supports thousands of tokens. Confirming Multichain still has that crypto — that it hasn’t been stolen or gambled away in DeFi protocols — would be a herculean task.
Furthermore, the allegations might inject fresh doubt in bridge technology, which have suffered enormous damage at the hands of hackers this year.
Three of the five biggest hacks in crypto history occurred this year, and each one of them was a bridge hack, according to Rekt’s exploit leaderboard. More than $600M was taken from the Ronin Network. Almost $600M was taken from a Binance bridge. More than $300M was taken from the Wormhole bridge.
Multichain did not respond to multiple requests for comment submitted via the contact email address listed on its website.
The episode highlights the role L2 is playing in scrutinizing the blockchain scaling space. When lending protocol Maker was considering whether to expand to Layer 2 blockchains such as Optimism and Arbitrum, it needed to better understand how those blockchains worked.
The ensuing project eventually spun off from Maker and became L2 Beat — a website that lists myriad Layer 2 blockchains, the amount of money they hold, and the security assumptions they make.
This month, the project expanded with the launch of a dashboard for bridge protocols. Beside Multichain, the world’s second largest bridge protocol, the L2 Beat team appended a small yellow shield bearing an exclamation point, warning users of the suspected impropriety.
“Every single bridge works more or less the same way,” Kiepuszewski explained. “You send tokens to an address and [new] tokens would be minted by validators on the destination [blockchain]. If you want to go back, the reverse happens, so you burn tokens at the destination and validators should release tokens from that escrow address that you originally sent tokens to.”
Bridge protocols that cannot mint new tokens on a destination chain instead use the “liquidity network” method. Liquidity providers deposit tokens in liquidity pools on the destination chain. Those tokens are available to users who bridge to that blockchain, and they are returned to the pool when bridge users withdraw to their origin chain.
Multichain, which has bridges to dozens of blockchains, is a hybrid, according to L2 Beat. In some instances it mints tokens. In others, it uses liquidity pools.
According to Kiepuszewski’s research, Multichain validators pulled almost $80M in stablecoins and 300 Bitcoin from an escrow contract, leaving more crypto on the destination chain than remained in the contract.
Kiepuszewski said he reached out to Multichain and representatives told him the crypto has been used to supply liquidity pools across different chains.
Ether Hits Six-Week High As Strong Earnings Fuel Stock Market Rally
Layer 1 Tokens Lead the Charge
“They claim that this is not in their opinion problematic, because the money still resides in the Multichain ecosystem, and users, in their opinion, should always be able to withdraw the amount they need,” Kiepuszewski said. But performing an audit “now becomes extremely complicated, because you have to analyze the whole Multichain ecosystem, right?”
Open Zeppelin’s Lewellen agreed. “Even for liquidity networks,” he said. “There’s at least a way to look at the different [liquidity provider] pools and different chains and identify that the overall assets issued by a bridge match up with some liquidity pool elsewhere.”
Lewellen and Kiepuszewski both said a dashboard showing the route their funds are taking would go a long way toward assuaging concerns about the movement of users’ crypto.
It also adds a new wrinkle when assessing whether Multichain is a safe place to park one’s money. Typically, an audit would confirm whether there are any software vulnerabilities. Now, users must also wonder whether Multichain itself can be trusted with their money, Kiepuszewski said.
Even if the funds are in safekeeping, accessing them in a timely manner might be difficult. And that presents its own problems, according to Lewellen, who pointed to the fact that there seems to be less Dai in Multichain’s Fantom bridge than there are Multichain-minted Dai tokens on Fantom.
More than $52M Dai bridged to Fantom, a Layer 1 blockchain, was allegedly removed from escrow by Multichain validators, according to L2 Beat.
If Dai were to lose its peg to the US Dollar, and people with Dai on Fantom wanted to redeem that Dai for USD, they might lose a significant amount of money in the time it takes to locate and transfer the Dai that should have been in escrow, according to Lewellen.
“It’s not that this is going to happen today, but it could happen if these factors line up in a way that’s not very favorable for Multichain,” he said, “and I think that’s ultimately where the concern comes from. It’s just not having clarity around how Multichain is managing this risk.”
Read More: L2 Beat Raises Questions About Multichain’s Management of Millions in User Funds – The
Disclaimer:The information provided on this website does not constitute investment advice, financial advice, trading advice, or any other sort of advice and you should not treat any of the website’s content as such. NewsOfBitcoin.com does not recommend that any cryptocurrency should be bought, sold, or held by you. Do conduct your own due diligence and consult your financial advisor before making any investment decisions.