A July 14 social media post from the app’s development team says lending protocol Ghost Finance is permanently shutting down due to losses from multichain exploits. Guest contracts were suspended on July 6th, then resumed on July 9th in “withdrawal and repayment only” mode. The latest post confirms that the team has no plans to reopen lending and borrowing on Geist.
Geist is a lending protocol that runs on the Phantom Network. Multichain had $29 million worth of crypto assets locked up in its contracts before the hack. Before the hack, Geist allowed users to borrow, lend, or use bridged tokens from the multichain platform as collateral, including bridged versions of USD Coin (USDC), Tether (USDT), Bitcoin (BTC), and Ether (ETH). It used chainlink oracles to track the prices of these assets to determine their collateral and loan values.
According to the post, these oracles stopped producing reliable information. They now list the values of the non-bridged or “real” versions of each coin, which, as the team explained, more than quadruple the value of their multichain derivatives:
“Since Chainlink oracles track the value of real USDC, USDT, WBTC or ETH, they have no idea of the real value of multichain assets. Those assets are currently trading at 22 percent of their original value.
This makes it “impossible” to resume lending, and doing so would result in bad debt for holders of non-multichain coins such as Magic Internet Money (MIM) or Phantom (FTM), the team stated. As a result, the guest cannot reopen.
Related: Circle has frozen more than $65M in assets transferred from Tether Multichain
The team clarified that it does not blame the Chainlink oracles for Geist’s shutdown, as these oracles “worked as they were supposed to.” Instead, “Nobody to blame here but @MultichainOrg.”
The multichain hack was first reported by blockchain analytics experts on July 7. More than $100 million has been withdrawn from the Ethereum side of multichain bridges, including Dogecoin, Phantom, and Moonriver. The Multichain team called the transactions “abnormal” and warned users to stop using the protocol. However, the team stopped short of calling it a hack or an exploit.
On-chain sleuth and Twitter user Spreek reported on July 11 that an unknown person was siphoning funds from the protocol and sending them to new wallet addresses using a fee-based exploit.
On July 14, the Multichain team confirmed that the withdrawals since July 7 were the result of a hack. The network was storing all of its private keys in a “cloud server account” under the sole control of the team’s CEO, who was arrested by Chinese authorities. This cloud server account was later accessed by someone and used to siphon money from the protocol. The team previously specified in the protocol’s documentation that no server has access to all fragments of a key.
According to the July 14 post, the July 11 fee-based attack was a counterattack launched by the CEO’s sister at the behest of the Multichain team in an attempt to recover funds. The sister was later arrested and the status of the assets she recovered is “uncertain”.