Millions of words' worth of assets unaccounted for, Multichain questioned over improper fund management
TechFlow Selected TechFlow Selected
Millions of words' worth of assets unaccounted for, Multichain questioned over improper fund management
The use of funds in custodial accounts by the bridging platform is under scrutiny.
Navigating Web3 tides with focused insights
Author:Aleksander Gilbert
According to L2 Beat, a research initiative analyzing the Layer 2 blockchain space, Multichain—a cross-chain bridging platform with $1 billion in total value locked—has moved nearly $80 million in stablecoins and 300 bitcoins, drawing scrutiny over these unusual activities.
L2 Beat stated that Multichain transferred millions from user funds under its custody to provide liquidity elsewhere on its network, raising public questions about the purpose behind these fund movements. These actions and L2’s review had not been previously reported by media outlets.
Social Contract
Bartek Kiepuszewski, a researcher at L2 Beat, told The Defiant: “Given that this is users’ money, either Multichain has some kind of agreement with users on that chain, or they are violating the social contract with their users.”
This year, most incidents involving stolen or lost cryptocurrencies due to hacks have occurred on cross-chain bridges—technologies enabling users to transfer digital assets between blockchains.
The reason is clear: cross-chain bridges are technically complex, providing attackers with more attack vectors. Additionally, they represent single points of failure—smart contracts lock user funds in custody, while “transferred” assets—essentially IOUs—are minted on the destination chain.
A Deepening Mystery
Thus, when researchers from L2 Beat dug into Multichain and discovered an apparent internal threat, they were surprised.
As Bartek Kiepuszewski noted, given that this is users’ money, Multichain’s movement of funds either required user consensus or constitutes a breach of the social contract with users.
According to Kiepuszewski, while asset transfers from custody can be observed on-chain, the ultimate destinations of these assets remain unknown.
L2 Beat said Multichain claims these assets were used to provide liquidity elsewhere in its network, but verifying whether this claim holds true is difficult.
Michael Lewellen, Head of Solutions at blockchain security firm OpenZeppelin, acknowledged there is indeed a problem with such practices.
“If there's no clear way to verify that the assets claimed by a bridge to be backed actually exist somewhere verifiably, I think we need to pay special attention,” Lewellen told The Defiant.
L2’s findings raise concerns about the behavior and security practices of an organization holding over $1 billion in user funds. Multichain connects dozens of blockchains and supports thousands of assets across chains. Confirming that Multichain still possesses these cryptocurrencies—and that they haven’t been lost to DeFi exploits or speculative risks—would be a daunting task.
New Doubts Emerge
Moreover, these allegations could fuel fresh skepticism toward cross-chain bridging technology, which has already suffered massive losses from hacks this year.
According to Rekt’s exploit leaderboard, three of the five largest hacks in crypto history this year involved cross-chain bridges. Over $600 million was stolen from the Ronin Network. Nearly $600 million was taken from Binance Bridge. Wormhole lost over $300 million.
Multichain did not respond to multiple requests for comment submitted via email addresses listed on its website.
Security Assumptions
This section highlights L2 Beat’s role in examining the blockchain scaling landscape. When lending protocol Maker considered expanding onto Layer 2 blockchains like Optimism and Arbitrum, it needed better insight into how these networks operate.
That effort eventually spun off into L2 Beat—an independent site listing multiple Layer 2 blockchains, their amounts of held funds, and their underlying security assumptions.
This month, the project expanded with the launch of a bridge protocols dashboard. Alongside Multichain—the world’s second-largest cross-chain bridge—L2 Beat added a yellow shield icon with an exclamation mark, warning users of suspected misconduct.
Kiepuszewski explained, “Most bridges work similarly: users send assets to an address, and ‘new’ assets are minted on the destination chain by validators. If users want to return assets to the source chain, the reverse process occurs—users burn assets on the destination chain, and validators should release the original assets from the custodial address where users initially sent them.”
Liquidity Networks
Cross-chain bridge protocols that cannot mint new assets on the destination chain use a “liquidity network” model. Liquidity providers deposit assets into liquidity pools on the destination chain. These assets become available for users bridging onto that blockchain and return to the pool when users withdraw their original-chain assets.
According to L2 Beat, Multichain connects dozens of blockchains and employs both bridging methods depending on context—either minting assets or utilizing liquidity pools.
Kiepuszewski said he contacted Multichain, and a representative informed him the crypto assets had been used to supply cross-chain liquidity pools.
“They claimed this wasn’t problematic because the funds still reside within the Multichain ecosystem, and from their perspective, users should always be able to withdraw the amount they need,” Kiepuszewski said. “But auditing this has now become extremely complex—you’d have to analyze the entire Multichain ecosystem, right?”
OpenZeppelin’s Lewellen agreed. He said, “Even with liquidity networks, there should be ways to examine different liquidity pools (where liquidity providers participate) across various chains and confirm that the total assets issued by the bridge match up with actual liquidity pools elsewhere.”
Both Lewellen and Kiepuszewski emphasized that a transparency dashboard showing user fund flows would greatly help alleviate concerns about asset movements.
Software Vulnerabilities
Kiepuszewski noted another emerging issue when assessing whether Multichain is a safe place to store funds. Traditionally, audits focus on identifying software vulnerabilities. Now, users must also question whether Multichain itself is trustworthy enough to hold their funds.
Even if funds are securely stored, timely withdrawals may still prove difficult. Lewellen pointed out what appears to be a discrepancy within Multichain itself: the amount of Dai on Multichain’s Fantom bridge seems lower than the amount of Dai Multichain has minted on Fantom.
Uncertainty Remains
According to L2 Beat, over $52 million in Dai was bridged to the L1 blockchain Fantom, and these assets are believed to have been removed from custody by Multichain validators.
In Lewellen’s view, if Dai loses its dollar peg and holders on Fantom wish to convert their Dai into USD, they might face significant losses during the process of locating and transferring the supposedly custodied Dai.
He said, “Such a scenario may not happen immediately, but if these factors align in a way unfavorable to Multichain, it could occur. I think that’s ultimately what fuels concern—there’s simply no clarity on how Multichain manages this risk.”
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
