In the rapidly evolving crypto landscape, the importance of secure cross-chain bridges cannot be overstated. These software applications serve as the vital threads that seamlessly connect different blockchain networks, allowing for smooth transactions and fostering interoperability.
However, recent events have opened our eyes to the vulnerabilities lurking within certain cross-chain bridges, particularly the Multichain one, highlighting the pressing need for a thorough examination of their security protocols. That was the exact reason why I’ve felt the urge to delve into the intricate details of this exploit, analyze the underlying reasons and equip Defiway readers with the exact steps needed to safeguard themselves during cross-chain transactions.
Ready to dive deep into the investigation and receive a super detailed understanding of how to make sure your funds will be protected? Let’s explore my insights together!
Crypto Bridge Market Overview
The crypto bridge market is a dynamic and rapidly evolving space, shaped by various market players and trends. Decentralized exchanges, centralized exchanges, and hybrid models cater to the diverse needs of crypto traders. Interoperability initiatives, Layer 2 scaling solutions, and regulatory developments are driving the market forward. By staying informed about the main players and current trends, individuals can navigate this exciting industry and seize opportunities for growth and innovation. First, let’s examine the main market players and their features:
Decentralized Exchanges (DEXs)
Decentralized exchanges have gained significant popularity due to their ability to facilitate peer-to-peer transactions without the need for intermediaries. Platforms such as Uniswap, SushiSwap, and PancakeSwap have emerged as prominent DEXs, offering users the ability to trade a wide range of tokens directly from their wallets. They prioritize security, transparency, and user control, making them attractive options for many crypto enthusiasts.
Centralized Exchanges (CEXs)
Centralized exchanges have long been a dominant force in the crypto market. Platforms like Binance, Coinbase, and Kraken provide a familiar trading experience and offer advanced features such as margin trading and futures contracts. While centralized exchanges require users to trust them with their funds, they often provide higher liquidity and a wide selection of trading pairs.
As the crypto market evolves, hybrid exchanges have emerged as a middle ground between decentralized and centralized models. These exchanges combine the benefits of both, offering users the control and security of decentralized platforms while incorporating some elements of centralized exchanges like order books and faster transaction speeds. Examples include KuCoin and Binance DEX.
Where is the Crypto Bridge Market Heading?
One of the prominent trends in the crypto bridge market is the focus on interoperability. Projects like Polkadot, Cosmos, and Avalanche aim to create cross-chain solutions that enable seamless communication and value transfer between different blockchain networks. This trend seeks to overcome the limitations of siloed blockchains and foster greater collaboration and innovation within the industry.
Layer 2 Scaling Solutions
Scalability remains a key challenge for blockchain networks, leading to the rise of Layer 2 solutions. Projects such as Lightning Network (for Bitcoin) and Optimism (for Ethereum) aim to increase transaction throughput and reduce fees by conducting transactions off-chain while maintaining the security guarantees of the underlying blockchain. These solutions pave the way for broader adoption and improved user experiences.
The regulatory environment surrounding cryptocurrencies and exchanges continues to evolve globally. Many countries are formulating frameworks to address concerns related to consumer protection, anti-money laundering (AML), and know-your-customer (KYC) requirements. As regulations become clearer, market players are adapting to comply with these guidelines, fostering increased trust and stability within the crypto bridge market.
What happened to Multichain?
Multichain is an open-source, cross-chain router protocol (CRP) that enables bridging tokens across blockchains via cross-chain bridges and cross-chain routers. The project was founded in July 2020 and, since then, has rebranded to Multichain(previously Anyswap).
How does the Multichain bridge operate?
- Secure Multi-Party Computation. Multichain cross-chain solution is a threshold-distributed signature algorithm based on SMPC. What is SMPC? It’s a part of cryptography that allows a computation to be distributed across multiple different parties, and no one party can see the other parties' data — it is kept private.
- Open-Source Code. Multichain’s Cross-Chain Router is an open-source protocol that has both pros and cons to it. Yes, this technique offers transparency to alleviate concerns, but it also helps hackers understand how to mount an attack.
- Academic alliance and code auditing. Multichain has claimed to build an academic alliance with global cryptography experts specializing in threshold signature algorithms and MPC in order to keep up with the latest developments in relevant technologies and push for technological innovation.
- Bug bonus system, security fund & audits. Whenever someone reports an existing bug on Multichain - the reward will come. The team has also claimed to have constant audits of their technology.
Now that we’ve reviewed what Multichain is and its main security features - time to make a deep dive into the recent events. Ready?
How did the exploit happen?
Everything started on Thursday evening. Multichain announced that they're experiencing out of the ordinary activity. According to Peck Shield, a blockchain security firm, the stolen resources includes multiple stablecoins, Circle’s U.S. dollar coin (USDC 0.0%) and dai and tokens like chainlink (LINK -0.2%), as well as wrapped bitcoin and ether. These stolen funds were transferred into six addresses.
The cross-chain bridge serves as a crucial link connecting different blockchains, including Ethereum, Bitcoin, and Dogechain, enabling the seamless transfer of assets between them. The most affected transactions were those involving tokens moving from the Fantom blockchain to either Ethereum or the Binance Smart Chain. The liquidity pool on the Multichain bridge suffered the largest exploit, resulting in approximately $118 million being transferred out of it. Moreover, transfers from the Dogechain and Moonriver blockchains were also impacted by this incident.
Binance CEO Changpeng Zhao stated that the recent Multichain hack did not affect Binance users, mentioning that deposits were closed in May. Previously known as Anyswap, Multichain faced its first hack in 2021, where attackers stole stablecoins worth $8 million from the protocol. The journey for the bridge protocol has been challenging since then. Zhao added in a tweet that the exchange had already swapped all assets associated with Multichain bridge. Take a look at the assets that were gone:
- A staggering amount of $58 million worth of the renowned stablecoin USDC;
- A sum of 1020 bitcoins, valued at $30.9 million;
- Approximately $13.7 million worth of 7200 ether;
- $4 million worth of the stable currency;
- The Multichain Bridge also hosted various highly sought-after tokens, including Chainlink, Curve DAO, YFI, Wootrade Network, and astonishingly, almost a quarter of the entire UniDex supply;
There are hundreds of predictions on why the exploit even happened in the first place. I won't dive deep into either of them since I still don’t have facts that will prove the existing theories.
But this situation could have been avoided. Right now, some people don’t feel like cross-chain transactions are safe, but that’s not true. Everything comes from the security protocols a project is using.
And from what I see - Multichain bridge didn’t have enough of them. Let's clarify.
The only real security features that Multisign had were SMPC ( Secure Multi-Party Computation) and TSS (threshold signature scheme). Without using technical jargon:
- With SMPC, you’re completing the joint function with other people without showing your input details to those people. So you’re all connected but don’t see each other's data. But you’re still connected to other people, meaning during this process your funds are not just in your hands.
- TSS is a method for generating a single digital signature from multiple signers, which means that others still have access to your funds because they took part in generating the joint signature with you.
Do you see where this is going? It appears that during Multichain transactions your funds were not completely under your watch. Yes, it’s a popular practice in crypto to use TSS and MPC. Yes, they do have their pros, and they do give us more decentralization options than traditional payment options. But they don’t give us 100% control over our funds—and this should be changed.
How to make that evolution and make sure another exploit doesn’t happen again? I’ve taken a deep dive into Defiway Bridge security features, and I believe I’ve just found an answer.
What is Defiway Bridge?
Defiway is a leading company in Decentralized Finance, offering Payment Solutions for the seamless management of crypto assets across multiple blockchain networks. Defiway currently offers 5 protocols—Cross-Chain Bridge, Pay, Payroll, Wallet, and Treasury.
Today I’ve investigated the 1st one - crypto bridge , since it’s most relevant to our topic. Let’s explore my insights!
Will the exploit be possible with Defiway? Not likely. Here are the reasons why:
From how I see it, in Multichain the user was required to perform 2 transactions during a cross-chain transfer: Send and Approve. There’s nothing wrong with the Send functionality.
However, the Approve functionality has 1 trick—it requires your signature. In the crypto world, your signature is equal to control and lies in not needing to sign a contract.
Guys, this is important to understand: if a smart contract of an attacker is signed, he can control all your funds and send them to another address. Defiway has removed the need for the Approve transaction in their bridge, so there will be no risks of hackers stealing their users’ funds.
So reason 1: Defiway doesn’t need your signatures for the cross-chain transactions.
Another distinguishing thing is that transactions are anonymous and the receiver's address cannot be traced. Meaning hackers can’t disclose your personal data and use it for their advantage.
Here’s where it gets even more interesting!
Remember when I said Multichain had TSS Security measures, and they weren’t completely safe? Here are the reasons why:
TSS is a done off-chain and in threshold signature schemes, each public key, and its corresponding private key shares, belong permanently to a single, fixed group of signers. Meaning—not only do you have control over the transaction, but other parties also do, since they’ve contributed to the joint signature.
Multisign is done on-chain, and in multisignature operations, each user has its own distinct public key. Which means? Your signature belongs only to you, and you have 100% control.
Defiway uses Multisign in cross-chain transactions in a bit different way—multiple servers are located in different places. Even if you receive control over one server, you can't control the whole bridge because to validate transactions, you need the signatures of all servers.
Defiway doesn’t issue its own unbacked tokens
Multichain, like many other crypto bridges, will lock your initial funds in the protocol and issue a new token on the target chain, which also leads to increased security risks. The distinctive feature of Defiway bridge is that it doesn’t issue its own unbacked tokens, meaning even more eliminated risks for us.
Possibility to send to multiple blockchains with one transaction
And last but not least—the user can send tokens to multiple blockchains with one transaction.
This is another great feature I’ve noticed. Since you reduce the number of transactions you need to perform, you decrease the number of risks because you simply will have a smaller amount of transactions to control, and your funds will mostly stay in your wallet all the time.
After a detailed investigation of the Multichain bridge hack and the reasons behind it, I clearly see that the only vital thing that could prevent it is enhanced security. Can I say that Multichain security measures were bad? No. They just weren’t enough. Multichain focused on external safe features more than on internal ones.
But the truth is the opposite—to make sure users’ funds are safe, cross-chain bridges need to make 80% of their focus on strengthening their technology and only 20% on audits and bug reports.
Defiway crypto bridge, on the other hand, is doing great above all expectations. It gives us the ability to reduce the number of transactions, eliminates the need for signatures, and most importantly - makes sure no one can’t control the whole bridge.
I don’t know about you, but after finishing this article, I’m off to make that safe cross-chain transaction with Defiway. If you’d like to join me—here’s your link to their bridge. Try it out and experience headache-free cross-chain transfers, especially after the exploit.
I’ll see you in the next article. And yeah, you know how they say take care of yourself? Well, take care of your funds too!