👀 Weekly Diges

Multichain Exploit

On July 7th, Beijing time, assets locked in the Multichain cross-chain bridge protocol were unexpectedly transferred. As of today, a total of $265 million has been drained from the protocol. Multichain has announced that its services have been halted with no estimated time for restoration, and advises users not to use the Multichain bridge service. However, no further statements or compensations have been issued regarding the cause and aftermath of this incident.

The affected blockchains include FTM, Moonriver, Kava, Conflux, Dogechain, ETHW, and others. The bridged stablecoin assets minted by Multichain on these chains have experienced varying degrees of detachment from their anchors.

Timeline

May 24th - Multiple community and social media users reported delayed cross-chain transactions on Multichain. At that time, Multichain attributed the issue to force majeure, stating that certain cross-chain routes were unavailable.

May 25th - Former co-founder of Multichain, DJ Qian, tweeted that Multichain CEO Zhao Jun was missing.

June 5th - The previously problematic cross-chain bridge on the KAVA network resumed functioning, resulting in a 50% surge in the value of the $Multi token.

July 7th - Without prior notice, the locked assets on the Multichain cross-chain bridge were transferred to six different addresses, amounting to approximately $127 million. Approximately 12 hours later, Multichain tweeted that their services had been suspended and advised users not to use the Multichain bridge service.

July 8th - USDC issuer Circle blacklisted three wallet addresses that received a significant outflow of funds through the Multichain cross-chain bridge, resulting in approximately $63 million of USDC being frozen.

July 10th - One of the wallets that received funds from Multichain converted 10.2 million USDT into 5,434 ETH, possibly to prevent the freezing of assets by USDT issuer Tether.

July 11th - Additional assets worth approximately $103 million were transferred from Multichain to new addresses.

Expert Analysis

Analysis by blockchain analytics firm Chainalysis, security firm Beosin, and researcher 0xLoki from Xinhua Technology suggests a common understanding that the attack on Multichain was not a result of code vulnerabilities or flaws in the protocol. Instead, it is believed to be the work of an insider.

The attacker likely gained control over the Multichain Multi-Party Computation (MPC) keys responsible for executing transactions. The attack was executed through simple transfer operations without any complex maneuvers. This indicates that the attacker may have full control over the assets and is not in a hurry to move them.

The incident may be closely related to the CEO Zhao Jun's disappearance.

Surge Project Introduction

Surge Protocol is a decentralized lending platform that supports lending for all non-rebasing ERC20 tokens. It stands out for its permissionless and oracle-free nature, allowing anyone to create lending pools for any token without restrictions. The protocol does not rely on price oracles and does not require ongoing maintenance from a team. Once deployed, it remains unchanged.

Surge Project Mechanism

Current lending protocols rely on price data to evaluate the adequacy of collateral and perform liquidations. However, Surge achieves the same goal by measuring changes in pool liquidity instead of using price data.

Before diving into the Surge mechanism, it's important to understand two terms:

Algorithmic Collateral Ratio: A utilization function over time that replaces the collateral ratio based on price data. Surge Threshold: The utilization threshold at which the collateral ratio starts to gradually decrease.

The mechanism can be illustrated using the following diagram:

Source : https://docs.surge-fi.com/general/how-it-work

In a hypothetical pool, the maximum collateral ratio is set at 50:1, independent of token prices. This means that borrowers can borrow up to 50 loan tokens for every 1 collateral token.

When the value of collateral tokens decreases, suppliers withdraw liquidity to avoid losses. When the pool's utilization exceeds 80% of the Surge Threshold, the collateral ratio begins to decrease. If the pool's collateral ratio falls below the borrower's collateral ratio, the borrower may be subject to liquidation.

If the utilization never returns below the Surge Threshold, the pool will liquidate all active borrowers to ensure sufficient liquidity for suppliers to exit.

Surge Project Update

Surge officially launched last week on 7/6, initially deployed on Arbitrum. It has created nearly 200 lending pools with a Total Value Locked (TVL) of $6,000, indicating that it is still in the early stages of development.

Due to Surge's use of an isolated lending model instead of a cross-margin model, the liquidity across different lending pools is fragmented. The team has stated that their goal is to address the issue of liquidity fragmentation by introducing a supplier aggregation layer positioned on top of the Surge pools. Borrowers can choose to provide liquidity directly to individual Surge pools or aggregate their deposits into a repository with limited management roles.

Source : https://www.surge-fi.com/

DataCheck

https://twitter.com/DodoResearch/status/1678593136799670272

🚄 Bullet News

AAVE has initiated a governance vote for the official launch of GHO on the mainnet through an AIP. The voting period is from 7/12 to 7/14. If approved, GHO (Aave's native stablecoin) will be launched through Aave V3 Facilitator and FlashMinter Facilitator.
Binance is preparing to launch its 32nd project on the Launchpad called Arkham. Arkham is an on-chain data analytics and intelligence platform that aims to derive valuable insights through analysis of on-chain transaction data.
Threads, a new social media platform launched by the US internet giant Meta, went live in 100 countries worldwide last week on 7/6. The platform has already surpassed 100 million registered users. Threads is a focuses on text-based social media and has quickly become one of the main competitors to Twitter.