AnySwap (Multichain) V3: ECDSA repeated k-value (same R signature) → MPC private key back-calculation
AnySwap V3 lost $7.9M when its MPC key-signing software reused a random nonce after a restart, letting an attacker recover the private key via textbook ECDSA algebra.
Summary #
AnySwap (Multichain) V3 suffered a Cross-Chain Bridge / DEX on 2021-07-10, resulting in a loss of approximately $8M.
What happened #
AnySwap V3 lost $7.9M when its MPC key-signing software reused a random nonce after a restart, letting an attacker recover the private key via textbook ECDSA algebra.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (V3); off-chain MPCNode software]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — V3 was new prototype code; MPCNode had a recent patch that introduced the bug]
- RD-F-062 — related : External keeper/relayer dependency not redundant [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
- RD-F-105 — causal : DNS / CDN / frontend change detected [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]