On July 7, 2023, according to Secure3, a blockchain security audit contest platform, Fantom Bridge from Multichain was attacked. Multichain has announced through its official Twitter that it has suspended all bridge services and has no estimated resume time yet. The Secure3 security team analyzed and found that there is no evidence showing this is caused by smart contract vulnerability, suspecting that the attack may have been caused by the comproise of the MPC wallet multi-signature private key, causing a loss of about $126 million.

Among them, assets worth about $118 million have been transferred out from Multichain’s Fantom Bridge. Including:

• Various tokens worth about $16 million (DAI, LINK, UNIDX, WOO, USDT, ICE, CRV, YFI, TUSD) were sent to address 0x9d57..
• Other transfers involved about $27.6 million USDT and $30 million USDC, which were sent to addresses 0x027F.. and 0xefeef.. respectively
• In addition, 1023 wBTC worth about $30.9 million were sent to address 0x622e5..
• 7214 wETH worth about $13.6 million were sent to address 0x418e..

In addition, various tokens worth about $7.5 million (USDC, USDT, DAI, WBTC) were transferred out from Multichain’s Moonriver Bridge and transferred to address 0x48Be..

In response to this security incident, the Secure3 security team summarizes the MPC wallet security considerations here.

MPC Wallet

MPC wallet is a digital asset wallet that uses multi-party computation (MPC) technology to protect private keys. MPC wallet can split private keys into multiple shards and store them on different devices or in the cloud to avoid the risk of single point failure and leakage of private keys.

How to Ensure the Security of MPC Wallet?

• Choose a reputable and guaranteed, audited, trusted MPC wallet to ensure security and reliability. For audit report cases, please refer to the relevant MPC wallet project audit report given by Secure3 before https://secure3.io/reports
• Design a suitable sharding scheme that considering the number of shards, the size of shards and the allocation method of shards. Ensure that the scheme balances security and convenience
• Use strong passwords and two-factor authentication to protect your MPC wallet account, avoid using the same or simple passwords, change passwords regularly, and do not disclose passwords to anyone
• Store shards securely: store shards in a secure location and ensure that only authorized personnel can access them. You can consider using hardware security modules (HSMs), offline devices or encrypted storage media to store shards
• Regularly check your MPC wallet balance and transaction records. If you find any problems, contact your MPC wallet service provider or relevant agency in time
• Do not access your MPC wallet on insecure networks or devices to prevent phishing attacks

Secure3 security team recommends:

1. Project teams need to protect their private keys from being leaked.
2. Follow the security guidelines for using MPC wallets.

About Secure3

Headquartered in Silicon Valley, Secure3 is an intelligent audit contest platform, aiming to reshape Web3 safety by providing efficient, affordable, and secure smart contract auditing services for all Web3 projects.

Secure3’s audit contest organizes decentralized certified auditors in the form of an audit competition. With 3–10x more auditors (compared to centralized auditing firms) working on the project independently, anonymously, and simultaneously, Secure3 has proven successful in providing cost-efficient and high-quality auditing services. In the past year, Secure3 has done over 100 projects including industry leaders, such as zkSync, Mantle, Manta Network, IoTeX, ParaSpace, MirrorWorld, etc.

Secure3 was incubated by Stanford StartX in 2022, and closed $5M seed funding from Mirana, GGV, Alumni Ventures, Hashkeys, etc.

• Website: https://www.secure3.io/
• Service Intro: http://secure3.io/intro
• All Audits Reports: https://www.secure3.io/reports
• Case Study: https://docs.para.space/para-space/external-audits