Multichain Bridge Hack — July 6, 2023
Overview
On July 6, 2023, the cross-chain bridge protocol Multichain experienced unusually large, unauthorized withdrawals totaling approximately $126 million across multiple chains. The incident is widely considered to be either an external compromise or an insider rug pull tied to the prior arrest of the CEO.
Financial Impact
Total drained: ~$126 million in assets
Fantom bridge: ~$120 million (largest portion) — including wETH, wBTC, USDC
Moonriver bridge: ~$6.8 million (USDC and USDT)
Dogechain bridge: ~$666,000 (≈85% of total bridge deposits)
• Additional smaller losses on other supported chains
Background and Context: CEO Arrest
• On May 31, 2023, Multichain announced it had been unable to contact CEO Zhaojun.
• Reports indicated Zhaojun had been arrested by Chinese police, and that his computers, phones, and hardware wallets/devices had been confiscated.
• After the CEO's arrest, the team stated they had lost access to the platform's MPC (multi-party computation) keys and could not perform necessary technical maintenance.
• Zhaojun's sister was later reported to have transferred remaining funds to two addresses she controlled, ostensibly for "asset preservation," further muddying the picture.
Technical Root Cause / Attack Vector
• Classification: Private Key Compromised (Unknown Method).
• Multichain's bridge was secured by a Multi-Party Computation (MPC) system, conceptually similar to a multisig — multiple parties hold key shards which must cooperate to sign transactions.
• The hack vector implies that a sufficient number of MPC key shards were compromised to allow the attacker (or insider) to execute unauthorized withdrawals from bridge contracts.
• Whether the keys were leaked, seized, or insider-misused is not publicly proven and may be tied to the CEO's situation in China.
Hack vs. Rug Pull Debate
• Chainalysis and others documented that the unusual outflows have characteristics consistent with either an external exploit or an insider/rug-pull event.
• The combination of (a) MPC-key custody being effectively lost when the CEO was detained, (b) the sister moving residual funds, and (c) lack of any independent technical post-mortem from the team has led many analysts to lean toward an insider/rug interpretation.
Response & Remediation
• Multichain officially announced suspension of all bridging services and shut down the protocol.
• A Singapore court later ruled that Multichain owed Fantom Foundation roughly $2 million in damages tied to the exploit.
• No major recovery of the drained funds has been publicly reported.
• The Multichain protocol has effectively ceased operations.
Notable Sources Located (not directly fetchable in this run)