On May 24, 2023, rumors emerged that crypto bridge Multichain’s CEO Zhaojun had been arrested in China.
The initial damage caused by his arrest was unknown, but it soon became public that he had sole server access and certain parts of the protocol began to fail. The remaining team called it a “force majeure,” and over the course of the next 6 weeks almost no information came out about potential risks.
On July 6, 2023, an exploiter drained more than $100m in assets from Multichain’s wallets. The team confirmed that the funds were stolen and asked the wider community to revoke access to their contracts. Only after the hack did the team publicly state the CEO had been taken into custody by Chinese police. All of Zhaojun’s computers, phones, hardware wallets and mnemonic phrases were all seized. Multichain also stated that all “all operational funds and investments from investors have been under Zhaojun's control” since inception and they had no access to any servers.
The first rule of crypto is “not your keys, not your crypto.”
All of the assets held by Multichain were in fact controlled by one man. He’s not the first crypto founder to randomly disappear with all deposited assets. The Multichain incident is just another lesson about the dangers of plowing funds into non-transparent crypto protocols with single sources of failure. Bridges have been especially vulnerable to attack.
The problem with crypto bridges
Hackers love bridges. They are the juiciest targets in crypto.
According to DeFiLlama, 50% of the largest hacks ever were against bridges. Billions of dollars were stolen because of exploitable code. Bridges are a necessary infrastructural element of crypto networks, but they are the most prone to exploit. Multichain’s woes are yet another addition to this painful ranking.
When a bridge gets hacked, the attacker immediately takes all of the freezable assets like USDC, USDT, and other tokens, and dumps them for ETH, BTC, and other immutable assets. They then send those assets off to mixers like Tornado Cash where they break the chain of custody and prevent law enforcement from tracking them.
The money is gone in a single block.
Poof.
Normal operations immediately switch to sending empty ETH transactions to the attackers address begging for the money back and offering to pay a white hat fee. It’s not a great position to be sitting in while your protocol burns down around you.
Law enforcement gets called in, but what can they do when the funds are already funding a Lazarus office party?
What are crypto bridges?
We live in a multichain world (no-pun intended). Ethereum, Avalanche, Solana, Sui, Aptos, and the list keeps going on and on. These ecosystems are fertile grounds for Decentralized finance, but the all have one major problem.
They don’t talk to each other.
They are their own siloed ecosystems. Assets that live on one chain can’t go to another without help.
So how do we transfer assets back and forth between blockchains? There are a few options.
First option is to take an asset which is native to a blockchain, like Ethereum’s native token ETH, and then wrap it. You then transmit some information to the other blockchain and then create a synthetic asset.
For example, ETH can be wrapped and moved to Avalanche, where it becomes Avalanche wrapped ETH (or just wETH).
Second option is to burn and reissue the asset. This is the preferred method for centrally issued and controlled assets like USDC. See when you send USDC across a bridge by just wrapping, like in our last example, the original asset may not be considered “canonical” or the officially recognized version of that asset.
So while USDC can be bridged across to Avalanche, once it arrives, it ends up as e.USDC, a non-canonical version of USDC. If you want to move that e.USDC to Solana, you first have to go back to Ethereum to unwrap your non-canonical USDC, and then use another bridge to get to Solana.
Canonical assets are important for compatibility across networks. In the future DeFi is going to be so diverse and abstracted that you won’t even know what chain you are using, so it’s important that your assets can be bridged to and from or to another network without any hiccups.
Bridges for Billionaires
The eponymous name of this article delves into the question of what bridges extremely wealthy crypto holders trust their assets to.
It’s actually a very difficult question.
If you had to move $100m of assets from one chain to another, how would you do it?
Going back to how bridges work, you're giving over control of your assets to a faceless protocol for custody (or maybe a now-in-custody-CEO-who-has-singular-account-access). The idea is that they give you a synthetic receipt token which you can exchange back for your assets at a later date. If all goes well, when you are ready to bridge back, you swap, pay a small fee and get your assets back.
The amount of emphasis on “if” cannot be understated here.
Wrapping assets internally to a network is a well defined operation with robust security guarantees. Wrapping ETH for WETH on Ethereum is quite possibly the most secure contract across the entire network.
A bridge is more than a wrapper. It’s a complex communication protocol, which means an infinitely higher surface area for hackers to attack and exploit.
Any weakness in the code or system infrastructure enables attackers to steal money. It’s an extremely difficult solution.
Frax even had its own bridge issues related to a hack. In June, 2022, the Harmony bridge was hacked, and several million dollars of Frax issued assets were stolen. Thankfully, the team was able to act quickly and prevent the fallout from critically impacting the health of the protocol and peg. The hack was a wakeup call for Frax. The present bridge solutions were insecure, so the team built their own system.
Frax’s Bridge Solution - Fraxferry
Fraxferry is a novel, but simple bridge solution that allows transfer of unlimited Frax issued assets, while keeping the Ethereum based protocol safe from any exploits. What the team realized in the wake of the Harmony hack was that the real risk was in providing unlimited instant transfers of assets between chain.
The one change Frax made to their bridge design was to add in a 24hr timelock. Instead of providing instant transfers, users bridging funds have to wait a day. If there is a hack or major exploit and the attacker tries to bridge funds back to Ethereum to cash out, the Frax multi-sig can stop the transfer. It’s a simple design update that provides unparalleled security.
Now this doesn’t stop instant on-demand cross-chain Frax liquidity. Other third party protocols can setup their own pools and infrastructure to provide for these types of transactions. If they get hacked, it wouldn’t affect the overall collateral health of Frax. With the timelocks Frax establishes a checkpoint to prevent system damage to the protocol and peg. It’s the only way to safely allow billions of dollars to move back and forth between chains.
How does Fraxferry work?
The process begins when users send their tokens to the Fraxferry contract, initiating the transfer.
Fraxferry is overseen by a designated individual known as the "Captain," who examines the source blockchain to determine which tokens need to be moved. The Captain then proposes a batch of tokens to be transferred, which triggers the token transfer process.
Before the actual transfer takes place, there is a waiting period of at least 24 hours to allow for verification and dispute resolution. Departures happen once per day, and users can add and remove assets freely before the Ferry departs.
During this time, other participants, referred to as "Crewmembers," review the batch proposal to identify any potential issues.
If no disputes are raised, the token transfer is executed, moving the tokens to the target blockchain. Before execution, the system ensures that the transactions are valid by comparing the provided hash to the actual batch of transactions.
In the event of suspicious activity, the multi-sig can prevent a specific token transfer to mitigate any potential damage. It is the responsibility of the multi-sig to manage the tokens in the Fraxferry contract to ensure smooth operations.
It’s called a “ferry” because it’s slow, but it gets there on time.
Multichain Revisited
When Multichain went down this year, Frax was cool as a cucumber. All of the assets that were on Fantom, the network with the largest exposure to Multichain, were 100% safe and suffered no losses as a result. As TVL on the network cratered because of a single malicious actor, the Frax community knew FraxFerry would keep them safe.
In a multichain world, bridges play a role of vital importance and yet have proved to be the weakest link in onchain security. With hundreds of millions if not billions of dollars worth of value on the line, the stakes will only get higher in the future they become a juicier target for hackers and exploiters.
Frax concluded last year that the only viable measure to protect the integrity of the protocol was to build a slow and steady solution that accounts for security above all else. Since the launch of Fraxferry, Frax has been able to sleep easy even in the face of multiple bridge hacks that have happened since. And with Fraxferry v2 coming soon, the system will only grow to become more decentralized and robust in the near future.