Back to all stories
Multichain Collapse: The Private Key Leak That Drained $125M+
1/8/2024
Project name: Multichain
Project type: Bridge
Date of exploit: July 6, 2023
Asset loss: More than $125M
Vulnerability: Private Key Issue
Date of audit report publishing:
- Nov 11, 2022: MultiChain Foundation - Cardano (Golang)
- Nov 21, 2022: MultiChain Foundation - Aptos (Move)
Conclusion: Out of Audit Scope
Details of the Exploit
Background
Multichain is a centralized cross-chain bridge protocol that allows users to bridge tokens between chains.
Nature of the Vulnerability
- The private key of Multichain is compromised, allowing the attacker to drain assets from the bridge protocol
CertiK Audit Overview
Conclusion
On July 6, 2023, the cross-chain bridge protocol Multichain experienced large unauthorized withdrawals, suggesting a likely Private Key issue.
It is identified as an out-of-scope issue since it is not an implementation bug.
Related Stories
From 12 March to 16 March we have seen nine private key compromises (PKC) that have led to a combined loss of at least $22.96 million in March, with five of those incidents incurring losses over $1 million. These incidents showcase the continued devastation that private key leakages can have on the Web3 ecosystem which has already seen approximately $239 million lost to this type of attack in 2024.
3/22/2024
On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts.
1/23/2024
Narwhal’s token experienced two considerable drops within a two day period leading to an overall slippage of approximately 99%. The project’s official X account @Narwhal_fyi, announced that they had experienced an exploit, but did not give any specific details. Initial indications pointed to a private key compromise, however on-chain links suggest this incident was an exit scam. Approximately $1 million worth of funds were deposited into Tornado Cash with a further $410,000 sitting in two wallets. In this blog, we will outline the suspicious links that indicate that this incident is an exit scam.
1/10/2024
