Multichain (ANY)
Basics
History
- Rebranded from Anyswap to Multichain (2022).
Audits
- This protocol offers an active bug bounty of $2M (15-3-2022).
- Scored 36% on DeFi Safety (15-3-2022):
"Contracts can be found exclusively on Etherscan. While token related contracts are documented, DeFiSafety does not consider these in our analyses - in this instance we want to see the bridge contracts. There is no coverage of deployed contracts by software function documentation. However, there is API documentation that awards them 20% for this metric. There are no documented tests for code coverage in the Multichain GitHub or audits. Multichain has not undergone a Formal Verification test. AnySwap has been audited once before launch (it is now known as multichain since a rebranding). It has been since audited multiple times, with a Trail of Bits security assessment being released very recently."
With the comment:
"Multichain still has its wires crossed, and this is proven by the exploits they've suffered. With a fantastically high bug bounty and a great audit track record, it's clear that security is important to Multichain. Indeed, when Multichain suffered a recent exploit it acted responsibly by compensating the affected as well as building a tool to reduce funds at risk. However, this protocol provides absolutely no oracle information and offers no testing documentation either. This is unacceptable for such a critical piece of DeFi infrastructure with $6B+ TVL as it does. While this protocol should be commended for some aspects of its development, we strongly agree with TrailofBits when they say Multichain suffers from "an immature codebase" stemming from "incorrect protocol implementation" in "critical areas". "
"Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."
Bugs/Exploits
- From DeFi Safety (15-3-2022):
"On 10-1-2022 $3m were token from users via smart contract vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive TVL."
- From Week in Ethereum (22-1-2022):
"Multichain bridge vulnerability, 600 ETH exploited."
"The funds lost were all $ pegged stablecoins totalling approximately $7.9M. The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys. This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013. Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key.
Anyswap stressed that “only the new V3 cross-chain liquidity pools have been affected” and that the bridge remains operational via V1 and V2 Routers. The post-mortem also states that the V3’s code has been fixed and will reopen after the 48hr timelock installed by the team expires. Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough:
"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server. And it requires every signature request to scan every previous one, but really that's the smallest problem here."
Anyswap call themselves a “trustless protocol”, but perhaps that label no longer has the desired effect after such a damning evaluation from a leading Ethereum developer."
Critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed. All assets on both V2 Bridge and V3 Router are safe, and cross-chain transactions can be done safely.:
Governance
Admin Key
- From DeFi Safety (15-3-2022):
"Admin control information was not documented in any part of the documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated. Smart contract change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no timelock documentation. It is clear that the founder is familiar with the importance of timelock documentation when it comes to DAO contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."
DAO
Treasury
Token
Launch
Token Allocation
Utility
Other Details
Stablecoin
Coin Distribution
Technology
- Whitepaper can be found here.
- Code can be viewed here. From DeFi Safety (15-3-2022):
"At 16 commits, the development history of Multichain's contract repository is not yet as rich as a portal to another world should be."
Implementations
- Built on: BSC and according to DeFi Safety also covers the following chains (17-3-2022): Arbitrum, Avalanche, Celo, Ethereum, Fantom, HECO, Moonriver, Polygon, Terra, Aurora, Harmony, Optimism, Moonbeam and Gnosis Chain (interestingly enough not mentioning BSC).
- Programming language used:
Transaction Details
How it works
Fee Mechanism
Upgrades
Staking
Validator Stats
Liquidity Mining
Scaling
Interoperability
- Also behind Allbridge.
Other Details
Oracle Method
- From DeFi Safety (15-3-2022):
"Multichain uses an MPC network instead of an oracle based system. The contracts dependent are identified. There is no relevant software function documentation. Multichain documents no front running mitigation strategies. This protocol documents no flashloan countermeasures."
Privacy Method
Compliance
Their Other Projects
Roadmap
- Can be found [Insert link here].
Usage
Projects that use or built on it
Competition
Pros and Cons
Pros
Cons
Team, Funding and Partners
Team
- From DeFi Safety (15-3-2022):
"Team members are public, though there is no one centralised list of employees. This LinkedIn employment list is incomplete, the CEO (for example) is not here."
Funding
Partners
(:
Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!
Making these free wiki pages is fun but takes a lot of effort and time.
If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.
ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31
Also check out CoinTr.ee for more content.