The Multichain bridge, one of the oldest and more established token bridges used in DeFi, has suffered a $126 million loss in July, making it one of the larger bridge hacks in history.
But this one is different from previous hacks like the Nomad bridge. No code was really compromised, as reportedly the assets were taken by the CEO’s sister. Multichain’s CEO, known only as Zhaojun, was apparently apprehended by Chinese authorities a few weeks prior.
The CEO’s disappearance wreaked havoc on the team’s operations, according to their own report. Zhaojun held several important keys that were important for the operation and maintenance of the protocol. According to the explanation published by the Multichain team, they had asked his sister for access to these keys via cloud backups. Allegedly, she then took the money “for safekeeping” only to be arrested herself shortly after.
The incident highlighted what some industry experts and insiders knew all along: Multichain was an extremely centralized bridge, which literally ceased to function as soon as its CEO became unavailable. For a crypto project, this is a damning story — even traditional corporations are more decentralized than that.
Why this wasn’t spotted
Given these revelations, it seems surprising that people trusted Multichain enough to have hundreds of millions of dollars deposited on the platform.
Venket Naga, CEO at blockchain privacy-preserving platform, Serenity Shield, gave a few ideas how this might have happened. “First, the code's complexity may have made it challenging for non-experts to identify potential loopholes. Second, there might have been limited transparency and auditing, allowing crucial issues to go unnoticed,” he explained.
Because of their cross-chain nature, bridges are often a black box. Even though Multichain’s core architecture is open-source, the complexity of these systems means that it’s difficult to have a good understanding of how it’s all implemented.
“Trust in the code's integrity might have been assumed, neglecting the need for robust security assessments,” added Naga. “Moving forward, conducting comprehensive audits, fostering transparency, and engaging the community are crucial to prevent similar situations.”
Bridge Choice 101
Bridge vulnerabilities are a common theme in Web3, and many teams deemed competent and reputable suffered enormous losses. So how can an average user try to avoid these incidents and spot unsafe bridges from further away?
There is no perfect standard, but ideally it should be a mix of robust decentralization, simple architecture and good history of operation.
For example, for bridges running on some form of trusted validators (which applies to most of them), you would expect that these entities should be well-known, and at least somewhat separate from the bridge’s creators.
Architecture-wise, most bridges today are quite simple contracts based on multi-signature cryptography. More decentralized options have emerged from time to time, most notably Nomad. Unfortunately, these solutions are more complex, so this bridge got hacked because of one poorly implemented line of code.
A good indicator is time. Poor bridges fail and only the sturdy options remain after some time — though Multichain is a significant exception to this rule. Many existing bridges have already gone through hacks, notably Wormhole. At the time, the project got “bailed out” by Jump Crypto, which allowed it to resume operations and re-establish some level of trust.
But this apparent “insurance” shouldn’t be taken for granted. According to Brandon Brown, CEO and Co-Founder of personal wallet theft protection FairSide, “bridges present complex challenges for cover providers due to centralization and the risks associated with smart contracts.
Bridges are a crucial aspect of blockchain usage, but their implementation leaves much to be desired.
“To rebuild trust in blockchain bridges, a comprehensive approach is crucial,” according to Naga. “Implementing enhanced security measures, transparent bridge design and operations, rigorous audits, and involving the community in governance are essential.
For Broen, “innovative solutions are emerging, such as Axelar's Interchain, which offer promising potential in mitigating the inherent risks of interoperability.”
Hopefully, these solutions come sooner rather than later.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.