Multichain (ANY)

Basics

• Based in:
• Started in / Announced on:
• Testnet release:
• Mainnet release: 7-2020

History

• In May 2023 funds got locked, in June the CEO went missing and in July $200M+ funds were moved.
• Rebranded from Anyswap to Multichain (2022).

Audits

• This protocol offers an active bug bounty of $2M (15-3-2022).
• Scored 36% on DeFi Safety (15-3-2022):

"Contracts can be found exclusively on Etherscan. While token related contracts are documented, DeFiSafety does not consider these in our analyses - in this instance we want to see the bridge contracts. There is no coverage of deployed contracts by software function documentation. However, there is API documentation that awards them 20% for this metric. There are no documented tests for code coverage in the Multichain GitHub or audits. Multichain has not undergone a Formal Verification test. AnySwap has been audited once before launch (it is now known as multichain since a rebranding). It has been since audited multiple times, with a Trail of Bits security assessment being released very recently."

With the comment:

"Multichain still has its wires crossed, and this is proven by the exploits they've suffered. With a fantastically high bug bounty and a great audit track record, it's clear that security is important to Multichain. Indeed, when Multichain suffered a recent exploit it acted responsibly by compensating the affected as well as building a tool to reduce funds at risk. However, this protocol provides absolutely no oracle information and offers no testing documentation either. This is unacceptable for such a critical piece of DeFi infrastructure with $6B+ TVL as it does. While this protocol should be commended for some aspects of its development, we strongly agree with TrailofBits when they say Multichain suffers from "an immature codebase" stemming from "incorrect protocol implementation" in "critical areas". "

• From Rekt (13-7-2021):

"Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."

Bugs/Exploits

• From Blockthreat (11-2023):

"Multichain lost another $260,000 due to insufficient function access control vulnerability. That’s just embarrassing, especially for a protocol that was already hacked 6 times in the past 3 years."

• More weirdness (11-2023) with Multichain which reopened briefly without any announcement which allowed a trader to arbitrage depegged tokens for a $1m profit.
• From Decrypt (11-7-2023):

"Hackers drained cross-chain bridge Multichain of $125 million last week. And just yesterday, another $103 million in crypto was moved to various blockchain addresses, security firm Beosin said. And blockchain analysts are now saying it might have been an inside job.

In a Monday report, blockchain data firm Chainalysis said the exploit “appears to be a hack or rug pull by insiders” that has led many “ecosystem participants perplexed.” It has been locked since May due to what was described as a technical issue, with users unable to make transactions.

The exploit was due to the project administrator’s keys being compromised—if not used by the administrator directly—and Chainalysis said this is evidence of a “rug pull.”

• The Multichain issues continue (2-6-2023), as their official Twitter updated on Wednesday that they were unable to contact their CEO Zhaojun to "obtain necessary server access for maintenance." As a result, several cross-chain services continue to be impacted. Rumors have continued to spread that some Multichain staff were detained in China.
• Multichain pledges to compensate users after 'force majeure' incident (31-5-2023).
• The team worked closely with whitehat hackers and recovered nearly 50% of the total stolen funds.
• From DeFi Safety (15-3-2022):

"On 10-1-2022 $3m were token from users via smart contract vulnerabilities. Compensation plans were implemented. An effective token approval revoking tool was created by Multichain. This is evidence of good process quality. This was an insignificant amount compared to Mutlichain's massive TVL."

• From Week in Ethereum (22-1-2022):

"Multichain bridge vulnerability, 600 ETH exploited."

• From Rekt (13-7-2021):

"The funds lost were all $ pegged stablecoins totalling approximately $7.9M. The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys. This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013. Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key.

Anyswap stressed that “only the new V3 cross-chain liquidity pools have been affected” and that the bridge remains operational via V1 and V2 Routers. The post-mortem also states that the V3’s code has been fixed and will reopen after the 48hr timelock installed by the team expires. Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough:

"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server. And it requires every signature request to scan every previous one, but really that's the smallest problem here."

Anyswap call themselves a “trustless protocol”, but perhaps that label no longer has the desired effect after such a damning evaluation from a leading Ethereum developer."

• From their Twitter (17-1-2022):

Critical vulnerability that affected 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) has been reported and fixed. All assets on both V2 Bridge and V3 Router are safe, and cross-chain transactions can be done safely.:

Governance

Admin Key

• From The Defiant (26-10-2022):

"Multichain has transferred almost $80M in stablecoins and 300 Bitcoin. L2 Beat says Multichain claimed the tokens were used to provide liquidity elsewhere on its network. “That’s users’ money, so either this is agreed with users in this chain, or they broke a social contract with users,” Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant. While transfer of the tokens from escrow can be seen on-chain, where those tokens ultimately went is a mystery, according to Kiepuszewski. Multichain did not respond to multiple requests for comment submitted via the contact email address listed on its website."

• From Li.Fi (19-9-2022):

"anyCall makes the following trust assumptions:

1. Externally verified by the MPC network — anyCall transfers are verified by the MPC network, a group of 24 validator nodes. Thus, users need to trust the nodes to act honestly and also validate correct messages/transfers. ½ or 13 nodes can collude to steal user funds.
2. Nodes care about reputation — anyCall’s security relies on the reputational security of the nodes in the MPC network. It assumes that the potential benefits of acting maliciously and colluding to steal user funds are lesser than the reputational costs for the nodes.
3. Censorship risk — If 12 MPC nodes collude, they can censor a message through anyCall."

• From DeFi Safety (15-3-2022):

"Admin control information was not documented in any part of the documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated. Smart contract change capabilities are not identified in any contracts. Multichain's pause control is not documented. Multichain has no timelock documentation. It is clear that the founder is familiar with the importance of timelock documentation when it comes to DAO contracts, so it stands to reason there should be timelock documentation for the rest of the protocol."

• Has a 48hr timelock (13-7-2021).

DAO

Treasury

• From Li.Fi (19-9-2022):

"Multichain has an insurance fund where 10% of all transaction fees are stored. These funds can be used to compensate users if any assets are lost under special conditions."

Token

Launch

Token Allocation

Utility

Other Details

Stablecoin

Coin Distribution

Technology

• Whitepaper can be found here.
• Code can be viewed here. From DeFi Safety (15-3-2022):

"At 16 commits, the development history of Multichain's contract repository is not yet as rich as a portal to another world should be."

Implementations

• Built on:
• Programming language used:

Transaction Details

• Capacity (TPS):
• Latency:

How it works

• From Li.Fi (19-9-2022):

"anyCall’s architecture can be divided into two layers — the lower layer and the upper layer. The lower layer consists of an off-chain trust mechanism, whereas the upper layer consists of an on-chain call/trigger API.

The off-chain trust mechanism is responsible for validating messages from the source chain. It triggers the required operations after performing destination chain addressing as per the logic specified by dApps. The upper layer consists of a trigger API on the source chain and a call API on the destination chain. When the API on the source chain is triggered, the off-chain trust mechanism initiates the validation for consensus, and afterward, the call API on the destination chain completes the contract call as specified by the dApp.

anyCall relays messages across chains through the following contracts and functions:

1. anyCall Function — This function is present on the source chain and plays a key role in storing data to be transferred to the destination chain. The anyCall contract validates and relays messages to the destination chain.
2. Multichain’s MPC network — The MPC network consists of 24 nodes and is responsible for performing validity checks on messages sent to the anyCall contract by the anyCall Function. The anyCall contract is present in a common MPC address across all supported blockchains. When a message is sent by the anyCall function, MPC nodes ensure the security of the messages before sending them to the destination chain.
3. anyExec Function — The anyExec Function receives messages from the anyCall contract and executes the request on the destination chain."

Fees

Upgrades

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

• From Li.Fi (19-9-2022):

" It has tremendous connectivity and enables users to bridge over 1600+ tokens across 60+ blockchains, including EVM and non-EVM chains.

As of September 2022, anyCall supports arbitrary message passing and cross-chain contract calls across 11 chains: BNB Chain, Polygon, Ethereum, Optimism, Gnosis Chain, Fantom, Moonriver, IoTeX, Arbitrum, Avalanche, Harmony."

• Supports 61 chains (8-2022).
• Also behind Allbridge.
• BSC and according to DeFi Safety also covers the following chains (17-3-2022): Arbitrum, Avalanche, Celo, Ethereum, Fantom, HECO, Moonriver, Polygon, Terra, Aurora, Harmony, Optimism, Moonbeam and Gnosis Chain (interestingly enough not mentioning BSC).

Other Details

Oracle Method

• From DeFi Safety (15-3-2022):

"Multichain uses an MPC network instead of an oracle based system. The contracts dependent are identified. There is no relevant software function documentation. Multichain documents no front running mitigation strategies. This protocol documents no flashloan countermeasures."

Privacy Method

Compliance

Their Other Projects

Roadmap

• Can be found [Insert link here].

Usage

• From Li.Fi (19-9-2022): "Multichain has over $86B in total bridged volume to date and boasted a TVL of over $10B at peak. It constantly does over $50M in daily bridged volume from 3,000+ daily active users."
• From Our Network (27-8-2022):

"Offers bridging support for over 2,667 tokens and recently added NFT bridging functionality as well. According to DeFi Llama, Multichain has the third largest TVL of any bridge with $1.83b. Fantom accounts for a majority of the TVL with ~$1.1b, followed by nearly $280m on Ethereum and ~$252m on Avalanche. Multichain recently surpassed $80b in total trade volume on May 20th 2022. That total has increased another ~7% to $85.85b. Multichain has also generated over $33m in fees on ~3.9m transactions."

Projects that use or built on it

Competition

Other bridges

Pros and Cons

Pros

• From Li.Fi (19-9-2022):

1. "Ease of deployment — Integrating anyCall is consistent and hassle-free for developers. The quick and easy integration enables developers to add the business logic of cross-chain transfers to their dApps without spending many resources.
2. Ability to transfer arbitrary data across chains — anyCall enables the transfer of arbitrary data like smart contracts, messages, tokens, NFTs, and data from one blockchain to another in just one transaction.
3. Improved UX — anyCall allows multiple functions (like bridging and swapping) to be performed with a single contract call. As a result, users have to go through fewer steps, improving a dApp’s UX significantly.
4. Cross-chain contract calls — This feature enables calling a contract on the destination chain directly from the source chain. anyCall can be used for any type of cross-chain communication, such as sharing information like state, data, and messages across chains."

Cons

• Moved users funds without explanation (26-10-2022).
• Got hacked but also recovered 50% of the funds again.

Team, Funding and Partners

Team

• From DeFi Safety (15-3-2022):

"Team members are public, though there is no one centralised list of employees. This LinkedIn employment list is incomplete, the CEO (for example) is not here."

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31

Also check out CoinTr.ee for more content.