Multichain has always held security as its top priority and wants to demystify its security model and adopted measures for users.
Its security design is effectively resilient to hacks and guarantees a solid, robust base model for future development.
Decentralized finance has grown in adoption and complexity during the last few years as the multichain ecosystem has taken shape. This has driven further growth for cross-chain bridges despite an increase in attacks: Approximately 10 hacks happened in 2021.
This year is no exception, with four attacks on bridges that include Qubit, Wormhole, Meter and Multichain. There is a need for bridge security and to understand the advancements underway.
Open-source: The Cross-Chain Router Protocol
Multichain’s Cross-Chain Router Protocol (CRP) is an open-source protocol, free to access and use. The code and its development are on GitHub.
Multichain is open-source. Compared to closed-source code, security concerns can be examined in open-source models and offer transparency to alleviate concerns. Open-source code isn’t always perfect, but neither is any software. Being open-source allows hackers to understand how to mount an attack, but the code can eventually become bulletproof through extensive testing.
Multichain guarantees that its CRP security issues are immediately disclosed and patched. An active bug bounty program encourages active code review and vulnerability disclosure. Thanks to the community, the platform was alerted to contract vulnerabilities in a January incident and fixed the issues immediately while managing to salvage 50% of the losses.
The Multichain CRP has a large and seasoned developer community incorporating the code with ever-growing confidence and trust. The code is tested by several developers, strengthening its reliability, and their ideas and suggestions are often added to the project’s core libraries. On the community side, developers and users discuss the CRP and guide new joining projects. That is the beauty of open-source — where the whole is greater than the sum of the parts.
More than 30 applications have integrated the Multichain CRP, and more than 20 decentralized and centralized exchanges, wallets, aggregators, launchpads and index providers are in the process. Some examples are a decentralized autonomous organization represented by SushiSwap, SpiritSwap, SpookySwap and TokenPocket.
The team looks forward to promoting the CRP alongside more developers.
The Multichain SMPC network
Lynchpin technology based on a frontier security theory
Secure Multi-Party Computation (SMPC), the core technology underpinning Multichain, originated from a theory by some of the world’s leading cryptographers. The key algorithm defining Multichain’s cross-chain bridge and router is the Threshold Signature Scheme (TSS).
TSS was derived from the groundbreaking research paper “Universal Composability Non-Interactive, Proactive, Threshold Elliptic Curve Digital Signature Algorithm with Identifiable Aborts,” known as the GG20 theory. It was published in 2020 at the Association for Computing Machinery’s Conference on Computer and Communications Security (CCS).
The event — one of the industry’s most authoritative — is an annual flagship conference of the Special Interest Group on Security, Audit, and Control (SIGSAC) that invites information security researchers, practitioners, developers and users globally to explore cutting-edge ideas and results.
The paper was reviewed, validated and revered for reliability by experienced cryptographers. All current projects for distributed signatures are based on the GG20 theory — and Multichain was among the first to realize this theory.
Multichain applies TSS to its cross-chain solutions
To achieve cross-chain interaction of digital assets, a multi-party computation network is required — a distributed network that processes cross-chain requests in real-time between chains.
MPC networks comprise a trigger mechanism, where the status on the original chain is detected in real-time and translated into the behavior on the target chain. What happens on the source chain reflects what happens on the target chain.
Multichain’s current MPC network is decentralized. Each node independently verifies the status of the original chain and uses a threshold-distributed signature algorithm between all nodes to reach a consensus on the verification results.
Based on a cryptographic algorithm, this method can lead to a powerful consensus: It either produces consistently correct results or no results. This ensures that Multichain’s MPC network can accurately process cross-chain requests in real-time without any point of failure.
In addition to integrating TSS into its cross-chain solutions, Multichain has developed SM2 and Schnorr signatures to form the final Multichain SMPC network that supports more than 96% of cross-chain interactions. The platform’s solution is universally compatible and suitable for non-Ethereum Virtual Machine chains such as Bitcoin and Ripple.
Multichain has faced security incidents and learned and grown stronger as a result. It is dedicated to providing the best cross-chain solutions. Prior security incidents were unrelated to the cryptographic theory Multichain utilizes nor its underlying SMPC network. The SMPC schemes and Multichain’s network have not been breached.
Actions taken to further strengthen Multichain security
There are valuable security lessons impossible to learn from even 100 attack simulations in every failure. Multichain has also completed multiple governance measures to strengthen its security further.
Regular external and internal audits
The external-security audit cycle has been shortened to less than three months, meaning a higher frequency of security checks. The latest audit was conducted by Trail of Bits; Multichain’s team has upgraded its products as recommended and will release its audit report soon.
Multichain has contacted another security audit service provider, PeckShield. This audit is in progress and will be completed soon.
Internal audits are also being performed: A special security risk-control team has been built for this purpose, and cross-functional technical audits are being conducted with higher frequency.
The Multichain security fund
Multichain has initiated a governance proposal for a security fund to identify any possible rescue measures for assets susceptible to loss from potential vulnerabilities in Multichain’s system. The proposal is to add 10% of the monthly cross-chain fee to the security fund.
A bug bounty program
Multichain encourages the community to continue reviewing its code and security and is working with Immunefi on its Bug Bounty program. This program recognizes the value of independent security researchers and teams.
Multichain values motivating and appreciating honest contributors: The team will reward up to $2 million for discovering and submitting vulnerabilities.
A security academic alliance
Cryptography is an evolving discipline, and guarding against security attacks is never-ending. Multichain is closely monitoring the advancements of relevant new technologies and investing generously in technological innovation and cybersecurity.
To that end, it’s forging an academic alliance with global cryptography experts who specialize in TSS algorithms and MPC to stay aware of developments in and maintain constant technological innovation.
A strengthened risk supervision and control system
The team has implemented reliable risk-control measures to detect unusual transactions and send early security warnings.
Multichain is further decentralizing its SMPC network. SMPC nodes are run collaboratively by the Multichain team and trusted community members but will open to partners and later to untrusted networks.