Difference between revisions of "Multichain (ANY)"
m (→Usage) |
m (→Pros) |
||
Line 26: | Line 26: | ||
===Bugs/Exploits=== | ===Bugs/Exploits=== | ||
* [https://www.defisafety.com/pqrs/418 From] [[DeFi Safety]] (15-3-2022): | * The team worked closely with whitehat hackers and recovered [https://medium.com/multichainorg/multichain-contract-vulnerability-post-mortem-d37bfab237c8 nearly 50%] of the total stolen funds. | ||
*[https://www.defisafety.com/pqrs/418 From] [[DeFi Safety]] (15-3-2022): | |||
''"On 10-1-2022 $3m were token from users via [[Smart Contract (SC)|smart contract]] vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive [[Total Value Locked (TVL)|TVL]]."'' | ''"On 10-1-2022 $3m were token from users via [[Smart Contract (SC)|smart contract]] vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive [[Total Value Locked (TVL)|TVL]]."'' | ||
*From [[Week In Ethereum|Week in Ethereum]] (22-1-2022): | *From [[Week In Ethereum|Week in Ethereum]] (22-1-2022): | ||
Line 45: | Line 46: | ||
===Admin Key=== | ===Admin Key=== | ||
* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): | |||
''"anyCall makes the following trust assumptions:'' | |||
# ''Externally verified by the MPC network — anyCall transfers are verified by the MPC network, a group of 24 validator nodes. Thus, users need to trust the nodes to act honestly and also validate correct messages/transfers. ½ or 13 nodes can collude to steal user funds.'' | |||
# ''Nodes care about reputation — anyCall’s security relies on the reputational security of the nodes in the MPC network. It assumes that the potential benefits of acting maliciously and colluding to steal user funds are lesser than the reputational costs for the nodes.'' | |||
# ''Censorship risk — If 12 MPC nodes collude, they can censor a message through anyCall."'' | |||
* [https://www.defisafety.com/pqrs/418 From] [[DeFi Safety]] (15-3-2022): | * [https://www.defisafety.com/pqrs/418 From] [[DeFi Safety]] (15-3-2022): | ||
''"[[Admin Key|Admin control]] information was not documented in any part of the documentation. The relevant [[Smart Contract (SC)|contracts]] are not identified as [[immutable]] / upgradeable. Ownership is not clearly indicated. Smart [[contract]] change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no [[timelock]] documentation. It is clear that the [https://twitter.com/zhaojun_sh/status/1503017411682848770 founder is familiar] with the importance of timelock documentation when it comes to [[Decentralised Autonomous Organisation (DAO)|DAO]] contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."'' | ''"[[Admin Key|Admin control]] information was not documented in any part of the documentation. The relevant [[Smart Contract (SC)|contracts]] are not identified as [[immutable]] / upgradeable. Ownership is not clearly indicated. Smart [[contract]] change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no [[timelock]] documentation. It is clear that the [https://twitter.com/zhaojun_sh/status/1503017411682848770 founder is familiar] with the importance of timelock documentation when it comes to [[Decentralised Autonomous Organisation (DAO)|DAO]] contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."'' | ||
Line 51: | Line 59: | ||
===DAO=== | ===DAO=== | ||
===Treasury=== | ===Treasury=== | ||
* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): | |||
''"Multichain has an insurance fund where 10% of all transaction fees are stored. These funds can be used to compensate users if any assets are lost under special conditions."'' | |||
==Token== | ==Token== | ||
===Launch=== | ===Launch=== | ||
Line 75: | Line 88: | ||
===How it works=== | ===How it works=== | ||
=== | |||
* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): | |||
''"anyCall’s architecture can be divided into two layers — the lower layer and the upper layer. The lower layer consists of an off-chain trust mechanism, whereas the upper layer consists of an on-chain call/trigger API.'' | |||
''The off-chain trust mechanism is responsible for validating messages from the source chain. It triggers the required operations after performing destination chain addressing as per the logic specified by dApps. The upper layer consists of a trigger API on the source chain and a call API on the destination chain. When the API on the source chain is triggered, the off-chain trust mechanism initiates the validation for consensus, and afterward, the call API on the destination chain completes the contract call as specified by the dApp.'' | |||
''anyCall relays messages across chains through the following contracts and functions:'' | |||
# ''anyCall Function — This function is present on the source chain and plays a key role in storing data to be transferred to the destination chain. The anyCall contract validates and relays messages to the destination chain.'' | |||
# ''Multichain’s MPC network — The MPC network consists of 24 nodes and is responsible for performing validity checks on messages sent to the anyCall contract by the anyCall Function. The anyCall contract is present in a common MPC address across all supported blockchains. When a message is sent by the anyCall function, MPC nodes ensure the security of the messages before sending them to the destination chain.'' | |||
# ''anyExec Function — The anyExec Function receives messages from the anyCall contract and executes the request on the destination chain."'' | |||
===Fees=== | |||
===Upgrades=== | ===Upgrades=== | ||
===Staking=== | ===Staking=== | ||
Line 83: | Line 109: | ||
===Interoperability=== | ===Interoperability=== | ||
* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): | |||
''" It has tremendous connectivity and enables users to bridge over 1600+ tokens across 60+ blockchains, including EVM and non-EVM chains.'' | |||
''As of September 2022, anyCall supports arbitrary message passing and cross-chain contract calls across 11 chains: BNB Chain, Polygon, Ethereum, Optimism, Gnosis Chain, Fantom, Moonriver, IoTeX, Arbitrum, Avalanche, Harmony."'' | |||
* Supports [https://ournetwork.substack.com/p/ournetwork-issue-135?utm_source=substack&utm_medium=email 61 chains] (8-2022). | * Supports [https://ournetwork.substack.com/p/ournetwork-issue-135?utm_source=substack&utm_medium=email 61 chains] (8-2022). | ||
*Also behind [[Allbridge]]. | *Also behind [[Allbridge]]. | ||
Line 103: | Line 134: | ||
==Usage== | ==Usage== | ||
* [https://ournetwork.substack.com/p/ournetwork-issue-135?utm_source=substack&utm_medium=email From] [[Our Network]] (27-8-2022): | * [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): "''Multichain has over $86B in total bridged volume to date and boasted a TVL of over $10B at peak. It constantly does over $50M in daily bridged volume from 3,000+ daily active users."'' | ||
*[https://ournetwork.substack.com/p/ournetwork-issue-135?utm_source=substack&utm_medium=email From] [[Our Network]] (27-8-2022): | |||
''"Offers bridging support for over 2,667 tokens and recently added NFT bridging functionality as well. According to [[DeFi Llama]], Multichain has the third largest [[Total Value Locked (TVL)|TVL]] of any bridge with $1.83b. [[Fantom (FTM)|Fantom]] accounts for a majority of the TVL with ~$1.1b, followed by nearly $280m on [[Ethereum (ETH)|Ethereum]] and ~$252m on [[Avalanche (AVAX)|Avalanche]]. Multichain recently surpassed $80b in total trade volume on May 20th 2022. That total has increased another ~7% to $85.85b. Multichain has also generated over $33m in fees on ~3.9m [[Transaction (Tx)|transactions]]."'' | ''"Offers bridging support for over 2,667 tokens and recently added NFT bridging functionality as well. According to [[DeFi Llama]], Multichain has the third largest [[Total Value Locked (TVL)|TVL]] of any bridge with $1.83b. [[Fantom (FTM)|Fantom]] accounts for a majority of the TVL with ~$1.1b, followed by nearly $280m on [[Ethereum (ETH)|Ethereum]] and ~$252m on [[Avalanche (AVAX)|Avalanche]]. Multichain recently surpassed $80b in total trade volume on May 20th 2022. That total has increased another ~7% to $85.85b. Multichain has also generated over $33m in fees on ~3.9m [[Transaction (Tx)|transactions]]."'' | ||
Line 113: | Line 145: | ||
==Pros and Cons== | ==Pros and Cons== | ||
===Pros=== | ===Pros=== | ||
* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022): | |||
# ''"Ease of deployment — Integrating anyCall is consistent and hassle-free for developers. The quick and easy integration enables developers to add the business logic of cross-chain transfers to their dApps without spending many resources.'' | |||
# ''Ability to transfer arbitrary data across chains — anyCall enables the transfer of arbitrary data like smart contracts, messages, tokens, NFTs, and data from one blockchain to another in just one transaction.'' | |||
# ''Improved UX — anyCall allows multiple functions (like bridging and swapping) to be performed with a single contract call. As a result, users have to go through fewer steps, improving a dApp’s UX significantly.'' | |||
# ''Cross-chain contract calls — This feature enables calling a contract on the destination chain directly from the source chain. anyCall can be used for any type of cross-chain communication, such as sharing information like state, data, and messages across chains."'' | |||
===Cons=== | ===Cons=== | ||
* Got hacked but also recovered [https://medium.com/multichainorg/multichain-contract-vulnerability-post-mortem-d37bfab237c8 50% of the funds] again. | |||
==Team, Funding and Partners== | ==Team, Funding and Partners== | ||
===Team=== | ===Team=== |
Revision as of 08:32, 2 October 2022
Basics
History
- Rebranded from Anyswap to Multichain (2022).
Audits
- This protocol offers an active bug bounty of $2M (15-3-2022).
- Scored 36% on DeFi Safety (15-3-2022):
"Contracts can be found exclusively on Etherscan. While token related contracts are documented, DeFiSafety does not consider these in our analyses - in this instance we want to see the bridge contracts. There is no coverage of deployed contracts by software function documentation. However, there is API documentation that awards them 20% for this metric. There are no documented tests for code coverage in the Multichain GitHub or audits. Multichain has not undergone a Formal Verification test. AnySwap has been audited once before launch (it is now known as multichain since a rebranding). It has been since audited multiple times, with a Trail of Bits security assessment being released very recently."
With the comment:
"Multichain still has its wires crossed, and this is proven by the exploits they've suffered. With a fantastically high bug bounty and a great audit track record, it's clear that security is important to Multichain. Indeed, when Multichain suffered a recent exploit it acted responsibly by compensating the affected as well as building a tool to reduce funds at risk. However, this protocol provides absolutely no oracle information and offers no testing documentation either. This is unacceptable for such a critical piece of DeFi infrastructure with $6B+ TVL as it does. While this protocol should be commended for some aspects of its development, we strongly agree with TrailofBits when they say Multichain suffers from "an immature codebase" stemming from "incorrect protocol implementation" in "critical areas". "
"Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."
Bugs/Exploits
- The team worked closely with whitehat hackers and recovered nearly 50% of the total stolen funds.
- From DeFi Safety (15-3-2022):
"On 10-1-2022 $3m were token from users via smart contract vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive TVL."
- From Week in Ethereum (22-1-2022):
"Multichain bridge vulnerability, 600 ETH exploited."
"The funds lost were all $ pegged stablecoins totalling approximately $7.9M. The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys. This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013. Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key.
Anyswap stressed that “only the new V3 cross-chain liquidity pools have been affected” and that the bridge remains operational via V1 and V2 Routers. The post-mortem also states that the V3’s code has been fixed and will reopen after the 48hr timelock installed by the team expires. Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough:
"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server. And it requires every signature request to scan every previous one, but really that's the smallest problem here."
Anyswap call themselves a “trustless protocol”, but perhaps that label no longer has the desired effect after such a damning evaluation from a leading Ethereum developer."
Critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed. All assets on both V2 Bridge and V3 Router are safe, and cross-chain transactions can be done safely.:
Governance
Admin Key
"anyCall makes the following trust assumptions:
- Externally verified by the MPC network — anyCall transfers are verified by the MPC network, a group of 24 validator nodes. Thus, users need to trust the nodes to act honestly and also validate correct messages/transfers. ½ or 13 nodes can collude to steal user funds.
- Nodes care about reputation — anyCall’s security relies on the reputational security of the nodes in the MPC network. It assumes that the potential benefits of acting maliciously and colluding to steal user funds are lesser than the reputational costs for the nodes.
- Censorship risk — If 12 MPC nodes collude, they can censor a message through anyCall."
- From DeFi Safety (15-3-2022):
"Admin control information was not documented in any part of the documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated. Smart contract change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no timelock documentation. It is clear that the founder is familiar with the importance of timelock documentation when it comes to DAO contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."
DAO
Treasury
"Multichain has an insurance fund where 10% of all transaction fees are stored. These funds can be used to compensate users if any assets are lost under special conditions."
Token
Launch
Token Allocation
Utility
Other Details
Stablecoin
Coin Distribution
Technology
- Whitepaper can be found here.
- Code can be viewed here. From DeFi Safety (15-3-2022):
"At 16 commits, the development history of Multichain's contract repository is not yet as rich as a portal to another world should be."
Implementations
- Built on:
- Programming language used:
Transaction Details
How it works
"anyCall’s architecture can be divided into two layers — the lower layer and the upper layer. The lower layer consists of an off-chain trust mechanism, whereas the upper layer consists of an on-chain call/trigger API.
The off-chain trust mechanism is responsible for validating messages from the source chain. It triggers the required operations after performing destination chain addressing as per the logic specified by dApps. The upper layer consists of a trigger API on the source chain and a call API on the destination chain. When the API on the source chain is triggered, the off-chain trust mechanism initiates the validation for consensus, and afterward, the call API on the destination chain completes the contract call as specified by the dApp.
anyCall relays messages across chains through the following contracts and functions:
- anyCall Function — This function is present on the source chain and plays a key role in storing data to be transferred to the destination chain. The anyCall contract validates and relays messages to the destination chain.
- Multichain’s MPC network — The MPC network consists of 24 nodes and is responsible for performing validity checks on messages sent to the anyCall contract by the anyCall Function. The anyCall contract is present in a common MPC address across all supported blockchains. When a message is sent by the anyCall function, MPC nodes ensure the security of the messages before sending them to the destination chain.
- anyExec Function — The anyExec Function receives messages from the anyCall contract and executes the request on the destination chain."
Fees
Upgrades
Staking
Validator Stats
Liquidity Mining
Scaling
Interoperability
" It has tremendous connectivity and enables users to bridge over 1600+ tokens across 60+ blockchains, including EVM and non-EVM chains.
As of September 2022, anyCall supports arbitrary message passing and cross-chain contract calls across 11 chains: BNB Chain, Polygon, Ethereum, Optimism, Gnosis Chain, Fantom, Moonriver, IoTeX, Arbitrum, Avalanche, Harmony."
- Supports 61 chains (8-2022).
- Also behind Allbridge.
- BSC and according to DeFi Safety also covers the following chains (17-3-2022): Arbitrum, Avalanche, Celo, Ethereum, Fantom, HECO, Moonriver, Polygon, Terra, Aurora, Harmony, Optimism, Moonbeam and Gnosis Chain (interestingly enough not mentioning BSC).
Other Details
Oracle Method
- From DeFi Safety (15-3-2022):
"Multichain uses an MPC network instead of an oracle based system. The contracts dependent are identified. There is no relevant software function documentation. Multichain documents no front running mitigation strategies. This protocol documents no flashloan countermeasures."
Privacy Method
Compliance
Their Other Projects
Roadmap
- Can be found [Insert link here].
Usage
- From Li.Fi (19-9-2022): "Multichain has over $86B in total bridged volume to date and boasted a TVL of over $10B at peak. It constantly does over $50M in daily bridged volume from 3,000+ daily active users."
- From Our Network (27-8-2022):
"Offers bridging support for over 2,667 tokens and recently added NFT bridging functionality as well. According to DeFi Llama, Multichain has the third largest TVL of any bridge with $1.83b. Fantom accounts for a majority of the TVL with ~$1.1b, followed by nearly $280m on Ethereum and ~$252m on Avalanche. Multichain recently surpassed $80b in total trade volume on May 20th 2022. That total has increased another ~7% to $85.85b. Multichain has also generated over $33m in fees on ~3.9m transactions."
Projects that use or built on it
Competition
Other bridges
Pros and Cons
Pros
- "Ease of deployment — Integrating anyCall is consistent and hassle-free for developers. The quick and easy integration enables developers to add the business logic of cross-chain transfers to their dApps without spending many resources.
- Ability to transfer arbitrary data across chains — anyCall enables the transfer of arbitrary data like smart contracts, messages, tokens, NFTs, and data from one blockchain to another in just one transaction.
- Improved UX — anyCall allows multiple functions (like bridging and swapping) to be performed with a single contract call. As a result, users have to go through fewer steps, improving a dApp’s UX significantly.
- Cross-chain contract calls — This feature enables calling a contract on the destination chain directly from the source chain. anyCall can be used for any type of cross-chain communication, such as sharing information like state, data, and messages across chains."
Cons
- Got hacked but also recovered 50% of the funds again.
Team, Funding and Partners
Team
- From DeFi Safety (15-3-2022):
"Team members are public, though there is no one centralised list of employees. This LinkedIn employment list is incomplete, the CEO (for example) is not here."
Funding
Partners
(:
Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!
Making these free wiki pages is fun but takes a lot of effort and time.
If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.
ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31
Also check out CoinTr.ee for more content.