🌉 Poly Network and Multichain Bridges: Unveiling Recent Hacks

Ahmed Ali
4 min readJul 10, 2023

--

source: crypto bridges

Bridges, also known as cross-chain interoperability solutions, play a vital role in connecting different blockchain networks. These bridges facilitate the transfer of digital assets and data between separate blockchain ecosystems, enabling enhanced functionality, liquidity, and scalability. By establishing a seamless connection, bridges bridge the gap between disparate blockchains, fostering collaboration and expanding the possibilities within the decentralized landscape. However, it’s crucial to be aware of the risks associated with bridges when engaging with them.

Poly Network: Latest Breach and Compromised Multisig Keys

In a surprising turn of events, Poly Network, a prominent cryptocurrency platform, has fallen victim to yet another hacking incident on July 3, 2023. This recent breach has raised concerns among investors and highlighted the vulnerabilities within the system. Unlike the complex hack that occurred in August 2021, this time the attack seems to be a result of compromised multi-sig keys. Out of the four multi-sig signers, three validated deposit proofs, inadvertently granting the attacker access to the funds.

The modus operandi of the attack involved a meticulous process. The attacker first locked a small amount of tokens on one chain and then proceeded to withdraw a larger sum on a different chain, using forged proofs. This pattern was repeated across various assets and chains, allowing the attacker to accumulate a significant amount of ill-gotten assets.

For those interested in the technical details, a comprehensive post-mortem analysis of the Poly Network hack can be found here.

Although the overall value of the assets minted during the breach reached astonishing figures in the tens of billions, the attacker was only able to access approximately $4.4 million of Poly Network’s liquidity. It’s worth noting that a significant portion of the stolen assets still remains within the attacker’s address.

source: mistTrack

To explore the specific assets stolen on each chain, refer to the comprehensive list available here.

This incident once again emphasizes the need for robust security measures within the cryptocurrency industry, as Poly Network grapples with the aftermath and works towards restoring trust among its users.

Multichain: Recent Hack and Ongoing Investigations

Multichain, previously known as Anyswap, has once again fallen victim to a significant breach, resulting in the drain of approximately $126 million worth of assets. This represents around 50% of the FTM bridge holdings and a staggering 80% of the Moonriver bridge holdings.

The troubles for Multichain began nearly two years ago when it suffered a hack that cost $8 million. Subsequently, in early 2022, vulnerabilities in six multi-token contracts led to an approvals-draining attack, resulting in estimated user losses of $3 million. More recently, in May of this year, Multichain faced panic within the community due to bridging delays, insider dumping rumors, and team arrest speculations.

The latest incident, where assets on the Multichain MPC address were moved to an unknown address, has caused significant concern. The team is currently investigating the matter, but the root cause remains uncertain. In response, Multichain has advised all users to suspend the use of their services and revoke all contract approvals related to Multichain.

Fantom, heavily reliant on Multichain versions of non-native assets, including USDC, USDT, DAI, wETH, and wBTC, has also been left without answers regarding the situation.

While the exact attack vector has yet to be determined, transaction behavior suggests that the attacker had direct control over the affected addresses. Possible methods of gaining access include a breach of the back-end infrastructure, spearphishing to obtain private keys or the involvement of a malicious insider.

The exploiter addresses involved in the recent attack hold a total of $126.3 million worth of assets across various cryptocurrencies, including DAI, LINK, USDT, CRV, USDC, wETH, and wBTC.

source: tayvano_

As investigations continue, the Multichain community and affected users anxiously await further updates, hoping for more precise insights into the events that unfolded.

To explore the specific assets stolen on each chain, refer to the comprehensive list available here.

Credits: rekt, beosin

Don’t forget to connect with me on Twitter, Medium, and Github to stay updated and visit my Website to learn more about me.

--

--