- Multichain says it is ceasing operations due to lack of access to funds.
- The crypto bridge says the CEO and his sister have been arrested by police in China.
Crypto bridge protocol Multichain on Friday said its shuttering operations while confirming reports that its CEO — who goes by Zhaojun and has sole access to the bridge funds — was arrested in China.
Multichain said on Friday that Zhaojun has been in custody since May 21 and “all of Zhaojun’s computers, phones, hardware wallets, and mnemonic phrases were confiscated by the authorities.”
“Due to the lack of alternative sources of information and corresponding operational funds, the team is forced to cease operations.”
“Since the inception of the project, all operational funds and investments from investors have been under Zhaojun’s control. This also means that all the team’s funds and access to the servers are with Zhaojun and the police,” Multichain said.
During Zhaojun’s arrest, his family — mainly his sister — cooperated with the team to help fix technical issues related to servers in need of upgrade.
But, the team said, the sister was also taken into custody by the police and she is “also out of contact,” with $220 million in project funds in her possession.
Earlier this month, DL News found that Zhaojun’s Telegram account went online, which suggests the account may have been in another person’s control.
Yajin Zhou, CEO of blockchain security firm Blocksec, told DL News that Multichain’s travails were a lesson in the need for decentralisation and transparency in “private key management,” and Multichain’s reliance on a single entity is “not a common way from the security perspective.”
“The moral of the story is that bridges cannot be centralised. A single person and his family controlled all the keys and access, and the funds somehow got stolen anyway,” Dyma Budorin, co-founder and CEO of blockchain security firm Hacken, told DL News.
“The arrest of the CEO shouldn’t have an impact on the security of funds of thousands of people. The whole situation looks very strange,” he said.
Controlled by a single party
Multichain’s troubles began in early May when Zhaojun’s arrest initially affected the team’s ability to complete the server upgrade, which led to reports of abnormality on the crypto bridge in late May.
Users complained that they were not receiving their “bridged funds” — crypto sent from one blockchain to another.
The panic caused by the bridge abnormality — compounded by then-unconfirmed rumours of the CEO’s arrest in China — led to a major selloff of Multichain’s native token MULTI.
The team relied on its CEO, since he controlled the key infrastructure of the crypto bridge. That included the bridge’s MPC, or multi-party computation, wallet, which refers to a smart contract wallet controlled by multiple persons to ensure greater security.
In Multichain’s case, the ownership of the MPC wallet credentials was not sufficiently decentralised — as Zhaojun controlled it, Blocksec’s Zhou said.
“Even the multichain leverages MPC, but all the keys are managed solely by the CEO himself, which is not robust in such a situation,” Zhou told DL News.
That control now rests with the Chinese authorities.
The team said it learned its access keys to the infrastructure that hosts its MPC node servers had been revoked.
Mikko Ohhtamaa, an independent Ethereum security researcher, told DL News that “it could have been easily found out that the bridge is relying on a single cloud account or a single legal entity. Here the problem was that code was not good enough — bridge topology was not audited.”
“For any future crosschain bridges, audits must not cover only code, but what are the legal entities behind the keys and how likely so-called wrench attack is,” Ohhtamaa said, referring to the risk of seizure of crypto through physical force.
Unidentified movements of funds
On July 6, the crypto bridge saw what it called abnormal fund movements, with $125 million taken from its wallets.
Multichain said that the transfer remains unidentified, though Zhaojun’s sister found login details on the project’s cloud server platform from an IP address in the Chinese city of Kunming.
It did not say whether the Chinese police moved the funds or the bridge was compromised by a third party.
Multichain said Zhaojun’s sister intervened following that movement to preserve the remaining funds by transferring $220 million worth of crypto assets to a new wallet address that she controlled.
Zhaojun’s sister was reportedly taken into custody on July 13, and the team does not have access to the wallets she used.
As a result, the team says the status of the funds reportedly preserved by Zhaojun’s sister is uncertain.
Cut off from funding, the team has asked users not to use Multichain’s services, but says it does not have access to take down the bridge’s web front-end.
The team pleaded with web domain hosting platform Go Daddy to takedown the project’s website.