Difference between revisions of "Multichain (ANY)"

From CryptoWiki

Line 46: Line 46:
===Admin Key===
===Admin Key===


* [https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022):
* [https://thedefiant.io/questions-on-multichain-funds From] [[The Defiant]] (26-10-2022):
''"Multichain has transferred almost $80M in [[stablecoins]] and 300 [[Bitcoin (BTC)|Bitcoin]]. L2 Beat says Multichain claimed the tokens were used to provide liquidity elsewhere on its network. “That’s users’ money, so either this is agreed with users in this chain, or they broke a social contract with users,” Bartek Kiepuszewski, a researcher at [[L2beat|L2 Beat]], told The Defiant. While transfer of the tokens from escrow can be seen [[On Chain|on-chain]], where those tokens ultimately went is a mystery, according to Kiepuszewski. Multichain did not respond to multiple requests for comment submitted via the contact email address listed on its website."''
*[https://blog.li.fi/navigating-arbitrary-messaging-bridges-a-comparison-framework-8720f302e2aa From] [[Li.Finance|Li.Fi]] (19-9-2022):


''"anyCall makes the following trust assumptions:''
''"anyCall makes the following trust assumptions:''
Line 155: Line 157:
===Cons===
===Cons===


* Got hacked but also recovered [https://medium.com/multichainorg/multichain-contract-vulnerability-post-mortem-d37bfab237c8 50% of the funds] again.
* [https://thedefiant.io/questions-on-multichain-funds Moved] users funds without explanation (26-10-2022).
*Got hacked but also recovered [https://medium.com/multichainorg/multichain-contract-vulnerability-post-mortem-d37bfab237c8 50% of the funds] again.


==Team, Funding and Partners==
==Team, Funding and Partners==

Revision as of 03:05, 31 October 2022

Basics

History

Audits

"Contracts can be found exclusively on Etherscan. While token related contracts are documented, DeFiSafety does not consider these in our analyses - in this instance we want to see the bridge contracts. There is no coverage of deployed contracts by software function documentation. However, there is API documentation that awards them 20% for this metric. There are no documented tests for code coverage in the Multichain GitHub or audits. Multichain has not undergone a Formal Verification test. AnySwap has been audited once before launch (it is now known as multichain since a rebranding). It has been since audited multiple times, with a Trail of Bits security assessment being released very recently."

With the comment:

"Multichain still has its wires crossed, and this is proven by the exploits they've suffered. With a fantastically high bug bounty and a great audit track record, it's clear that security is important to Multichain. Indeed, when Multichain suffered a recent exploit it acted responsibly by compensating the affected as well as building a tool to reduce funds at risk. However, this protocol provides absolutely no oracle information and offers no testing documentation either. This is unacceptable for such a critical piece of DeFi infrastructure with $6B+ TVL as it does. While this protocol should be commended for some aspects of its development, we strongly agree with TrailofBits when they say Multichain suffers from "an immature codebase" stemming from "incorrect protocol implementation" in "critical areas". "

"Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."

Bugs/Exploits

  • The team worked closely with whitehat hackers and recovered nearly 50% of the total stolen funds.
  • From DeFi Safety (15-3-2022):

"On 10-1-2022 $3m were token from users via smart contract vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive TVL."

"Multichain bridge vulnerability, 600 ETH exploited."

"The funds lost were all $ pegged stablecoins totalling approximately $7.9M. The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys. This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013. Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key.

Anyswap stressed that “only the new V3 cross-chain liquidity pools have been affected” and that the bridge remains operational via V1 and V2 Routers. The post-mortem also states that the V3’s code has been fixed and will reopen after the 48hr timelock installed by the team expires. Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough:

"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server. And it requires every signature request to scan every previous one, but really that's the smallest problem here."

Anyswap call themselves a “trustless protocol”, but perhaps that label no longer has the desired effect after such a damning evaluation from a leading Ethereum developer."

Critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed. All assets on both V2 Bridge and V3 Router are safe, and cross-chain transactions can be done safely.:

Governance

Admin Key

"Multichain has transferred almost $80M in stablecoins and 300 Bitcoin. L2 Beat says Multichain claimed the tokens were used to provide liquidity elsewhere on its network. “That’s users’ money, so either this is agreed with users in this chain, or they broke a social contract with users,” Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant. While transfer of the tokens from escrow can be seen on-chain, where those tokens ultimately went is a mystery, according to Kiepuszewski. Multichain did not respond to multiple requests for comment submitted via the contact email address listed on its website."

"anyCall makes the following trust assumptions:

  1. Externally verified by the MPC network — anyCall transfers are verified by the MPC network, a group of 24 validator nodes. Thus, users need to trust the nodes to act honestly and also validate correct messages/transfers. ½ or 13 nodes can collude to steal user funds.
  2. Nodes care about reputation — anyCall’s security relies on the reputational security of the nodes in the MPC network. It assumes that the potential benefits of acting maliciously and colluding to steal user funds are lesser than the reputational costs for the nodes.
  3. Censorship risk — If 12 MPC nodes collude, they can censor a message through anyCall."

"Admin control information was not documented in any part of the documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated. Smart contract change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no timelock documentation. It is clear that the founder is familiar with the importance of timelock documentation when it comes to DAO contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."

DAO

Treasury

"Multichain has an insurance fund where 10% of all transaction fees are stored. These funds can be used to compensate users if any assets are lost under special conditions."

Token

Launch

Token Allocation

Utility

Other Details

Stablecoin

Coin Distribution

Technology

"At 16 commits, the development history of Multichain's contract repository is not yet as rich as a portal to another world should be."

Implementations

  • Built on:
  • Programming language used:

Transaction Details

How it works

"anyCall’s architecture can be divided into two layers — the lower layer and the upper layer. The lower layer consists of an off-chain trust mechanism, whereas the upper layer consists of an on-chain call/trigger API.

The off-chain trust mechanism is responsible for validating messages from the source chain. It triggers the required operations after performing destination chain addressing as per the logic specified by dApps. The upper layer consists of a trigger API on the source chain and a call API on the destination chain. When the API on the source chain is triggered, the off-chain trust mechanism initiates the validation for consensus, and afterward, the call API on the destination chain completes the contract call as specified by the dApp.

anyCall relays messages across chains through the following contracts and functions:

  1. anyCall Function — This function is present on the source chain and plays a key role in storing data to be transferred to the destination chain. The anyCall contract validates and relays messages to the destination chain.
  2. Multichain’s MPC network — The MPC network consists of 24 nodes and is responsible for performing validity checks on messages sent to the anyCall contract by the anyCall Function. The anyCall contract is present in a common MPC address across all supported blockchains. When a message is sent by the anyCall function, MPC nodes ensure the security of the messages before sending them to the destination chain.
  3. anyExec Function — The anyExec Function receives messages from the anyCall contract and executes the request on the destination chain."

Fees

Upgrades

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

" It has tremendous connectivity and enables users to bridge over 1600+ tokens across 60+ blockchains, including EVM and non-EVM chains.

As of September 2022, anyCall supports arbitrary message passing and cross-chain contract calls across 11 chains: BNB Chain, Polygon, Ethereum, Optimism, Gnosis Chain, Fantom, Moonriver, IoTeX, Arbitrum, Avalanche, Harmony."

Other Details

Oracle Method

"Multichain uses an MPC network instead of an oracle based system. The contracts dependent are identified. There is no relevant software function documentation. Multichain documents no front running mitigation strategies. This protocol documents no flashloan countermeasures."

Privacy Method

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

  • From Li.Fi (19-9-2022): "Multichain has over $86B in total bridged volume to date and boasted a TVL of over $10B at peak. It constantly does over $50M in daily bridged volume from 3,000+ daily active users."
  • From Our Network (27-8-2022):

"Offers bridging support for over 2,667 tokens and recently added NFT bridging functionality as well. According to DeFi Llama, Multichain has the third largest TVL of any bridge with $1.83b. Fantom accounts for a majority of the TVL with ~$1.1b, followed by nearly $280m on Ethereum and ~$252m on Avalanche. Multichain recently surpassed $80b in total trade volume on May 20th 2022. That total has increased another ~7% to $85.85b. Multichain has also generated over $33m in fees on ~3.9m transactions."

Projects that use or built on it

Competition

Other bridges

Pros and Cons

Pros

  1. "Ease of deployment — Integrating anyCall is consistent and hassle-free for developers. The quick and easy integration enables developers to add the business logic of cross-chain transfers to their dApps without spending many resources.
  2. Ability to transfer arbitrary data across chains — anyCall enables the transfer of arbitrary data like smart contracts, messages, tokens, NFTs, and data from one blockchain to another in just one transaction.
  3. Improved UX — anyCall allows multiple functions (like bridging and swapping) to be performed with a single contract call. As a result, users have to go through fewer steps, improving a dApp’s UX significantly.
  4. Cross-chain contract calls — This feature enables calling a contract on the destination chain directly from the source chain. anyCall can be used for any type of cross-chain communication, such as sharing information like state, data, and messages across chains."

Cons

  • Moved users funds without explanation (26-10-2022).
  • Got hacked but also recovered 50% of the funds again.

Team, Funding and Partners

Team

"Team members are public, though there is no one centralised list of employees. This LinkedIn employment list is incomplete, the CEO (for example) is not here."

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.