Multichain (ANY)

From CryptoWiki

Basics

  • Based in:
  • Started in / Announced on:
  • Testnet release:
  • Mainnet release:

History

Audits

"Contracts can be found exclusively on Etherscan. While token related contracts are documented, DeFiSafety does not consider these in our analyses - in this instance we want to see the bridge contracts. There is no coverage of deployed contracts by software function documentation. However, there is API documentation that awards them 20% for this metric. There are no documented tests for code coverage in the Multichain GitHub or audits. Multichain has not undergone a Formal Verification test. AnySwap has been audited once before launch (it is now known as multichain since a rebranding). It has been since audited multiple times, with a Trail of Bits security assessment being released very recently."

With the comment:

"Multichain still has its wires crossed, and this is proven by the exploits they've suffered. With a fantastically high bug bounty and a great audit track record, it's clear that security is important to Multichain. Indeed, when Multichain suffered a recent exploit it acted responsibly by compensating the affected as well as building a tool to reduce funds at risk. However, this protocol provides absolutely no oracle information and offers no testing documentation either. This is unacceptable for such a critical piece of DeFi infrastructure with $6B+ TVL as it does. While this protocol should be commended for some aspects of its development, we strongly agree with TrailofBits when they say Multichain suffers from "an immature codebase" stemming from "incorrect protocol implementation" in "critical areas". "

"Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."

Bugs/Exploits

"On 10-1-2022 $3m were token from users via smart contract vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive TVL."

"Multichain bridge vulnerability, 600 ETH exploited."

"The funds lost were all $ pegged stablecoins totalling approximately $7.9M. The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys. This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013. Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key.

Anyswap stressed that “only the new V3 cross-chain liquidity pools have been affected” and that the bridge remains operational via V1 and V2 Routers. The post-mortem also states that the V3’s code has been fixed and will reopen after the 48hr timelock installed by the team expires. Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough:

"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server. And it requires every signature request to scan every previous one, but really that's the smallest problem here."

Anyswap call themselves a “trustless protocol”, but perhaps that label no longer has the desired effect after such a damning evaluation from a leading Ethereum developer."

Critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed. All assets on both V2 Bridge and V3 Router are safe, and cross-chain transactions can be done safely.:

Governance

Admin Key

"Admin control information was not documented in any part of the documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated. Smart contract change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no timelock documentation. It is clear that the founder is familiar with the importance of timelock documentation when it comes to DAO contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."

DAO

Treasury

Token

Launch

Token Allocation

Utility

Other Details

Stablecoin

Coin Distribution

Technology

"At 16 commits, the development history of Multichain's contract repository is not yet as rich as a portal to another world should be."

Implementations

Transaction Details

How it works

Fee Mechanism

Upgrades

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

Other Details

Oracle Method

"Multichain uses an MPC network instead of an oracle based system. The contracts dependent are identified. There is no relevant software function documentation. Multichain documents no front running mitigation strategies. This protocol documents no flashloan countermeasures."

Privacy Method

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

Projects that use or built on it

Competition

Pros and Cons

Pros

Cons

Team, Funding and Partners

Team

"Team members are public, though there is no one centralised list of employees. This LinkedIn employment list is incomplete, the CEO (for example) is not here."

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.