The vast majority of cryptos lost to hacks this year were stolen by bridges, the technology that allows users to transfer digital assets between blockchains.
The reasons are obvious: Bridges are complicated and offer attackers more opportunities for exploitation.
Additionally, they offer a single point of failure: a smart contract that holds the user’s funds in escrow while the “transferred” tokens — essentially promissory notes — are used in the target chain.
Unusual move
Therefore, L2 Beat researchers were surprised when they delved into Multichain, a bridging platform with a total locked value of $1 billion, and found an obvious threat from within.
According to L2 Beat, a research project analyzing the Layer 2 blockchain space, in an unusual move, Multichain transferred millions of user funds from escrow to provide liquidity elsewhere on its network.
“That’s the users’ money, so either this is arranged with the users in that chain, or they broke a social contract with the users,” Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant.
This is user money, so either this is agreed with users in this chain, or they have broken a social contract with users.
Bartek Kiepuszewski
While the transfer of tokens from escrow can be seen on the chain, Kiepuszewski says it’s a mystery where those tokens ultimately went.
Multichain claims the tokens were used to provide liquidity elsewhere on its network, but the size of that network means corroborating the claims is extremely difficult for a small team like L2 Beat.
What is bridging?
A step-by-step guide to one of the most important features in DeFi
Michael Lewellen, head of solutions at crypto security firm Open Zeppelin, said the practice is indeed problematic.
“If there isn’t a definite way to establish that the assets the bridge claims to support aren’t publicly verifiable, I would definitely call that a special concern for the bridge,” Lewellen told The Defiant.
L2’s allegations call into question the behavior and security practices of an organization responsible for more than $1 billion in user funds. Multichain connects to dozens of blockchains and supports thousands of tokens. Confirming that Multichain still has this crypto — that it hasn’t been stolen or gambled away in DeFi protocols — would be a Herculean task.
fresh doubt
In addition, the allegations could raise new doubts about the bridge technology, which has suffered tremendous damage at the hands of hackers this year.
Three of the five biggest hacks in crypto history happened this year, and each of them was a bridge hack according to Rekt’s exploit ranking. More than $600 million has been drained from the Ronin network. Almost $600 million was taken from a Binance bridge. More than $300 million was stolen from the wormhole bridge.
Multichain did not respond to multiple requests for comments sent through the contact email address listed on its website.
security assumptions
The episode highlights the role L2 plays in probing the blockchain scaling space. When Lending Protocol Maker considered expanding to Layer 2 blockchains like Optimism and Arbitrum, it needed to better understand how those blockchains worked.
The resulting project was eventually forked from Maker and became L2 Beat – a website that lists countless Layer 2 blockchains, the amount of money they hold and the security assumptions they make.
This month, the project has expanded with the introduction of a dashboard for bridge logs. Next to Multichain, the second largest bridge protocol in the world, the L2 Beat team put up a small yellow sign with an exclamation mark, warning users of the suspected inappropriateness.
“Every single bridge works more or less the same,” explains Kiepuszewski. “You send tokens to an address and [new] Tokens would be minted by validators at the destination [blockchain]. If you want to go back, the opposite happens, so you burn tokens at the destination and validators should release tokens from that escrow address you originally sent tokens to.”
liquidity network
Bridge protocols that cannot mint new tokens on a target chain use the “Liquidity Network” method instead. Liquidity providers deposit tokens into liquidity pools on the target chain. These tokens are available to users bridging to that blockchain and are returned to the pool when bridge users retreat to their chain of origin.
Multichain, which has bridges to dozens of blockchains, is a hybrid according to L2 Beat. In some cases, tokens are minted. In others, it uses liquidity pools.
According to research by Kiepuszewski, multichain validators pulled nearly $80 million in stablecoins and 300 bitcoin from an escrow contract, leaving more crypto on the target chain than was left in the contract.
Kiepuszewski said he reached out to Multichain, and representatives told him the crypto was used to provide liquidity pools across different chains.
Ether hits six-week high as strong gains fuel stock market rally
Layer 1 tokens are leading the attack
“They claim that they don’t think this is a problem because the money is still in the multichain ecosystem and they think users should always be able to withdraw the amount they need,” Kiepuszewski said. But conducting an audit “now gets extremely complicated because you have to analyze the entire multichain ecosystem, right?”
Open Zeppelins Lewellen agreed. “Even for liquidity networks,” he said. “There is at least one way to look at the differences [liquidity provider] Pools and different chains and find that the total assets issued by one bridge match a pool of liquidity elsewhere.”
Lewellen and Kiepuszewski both said that a dashboard showing the path of their funds would go a long way in allaying concerns about users’ crypto movement.
Software Vulnerabilities
It also adds a new wrinkle in assessing whether Multichain is a safe place to park your money. An audit usually confirms whether there are software vulnerabilities. Now users must also ask themselves whether they can trust Multichain themselves with their money, said Kiepuszewski.
Even when the funds are kept safe, it can be difficult to access them in a timely manner. And that poses its own problems, according to Lewellen, who pointed to the fact that there appear to be fewer Dai in Multichain’s Fantom bridge than multichain-minted Dai tokens on Fantom.
No clarity
More than $52 million of Dai bridged to Fantom, a Layer 1 blockchain, has allegedly been removed from escrow by multichain validators, according to L2 Beat.
If the Dai lost its peg to the U.S. dollar and people with Dai on Fantom wanted to redeem that Dai for USD, they could lose a significant amount of money in the time it takes to locate and transfer the Dai in escrow, Lewellen said.
“It’s not like that’s going to happen today, but it could happen if these factors don’t come together very favorably for multichain,” he said, “and I think that’s ultimately the cause of concern.” There is simply a lack of clarity on how Multichain manages this risk.”
Learn Crypto Trading, Yield Farms, Income strategies and more at CrytoAnswers
https://nov.link/cryptoanswers
Comments are closed.