Anyswap V3 ECDSA Nonce Reuse

On July 10, 2021 at 20:00 UTC, the cross-chain liquidity router Anyswap V3 was drained of approximately $7.9 million — 5.5M MIM in a single transaction plus ~2.4M USDC across three further transactions — after the attacker exploited an ECDSA nonce-reuse vulnerability in the protocol's MPC wallet. The attacker detected a repeated k-value across two signatures on BNB Chain and back-calculated the private key from elementary number theory.

What happened

Anyswap (later renamed Multichain) used a Multi-Party Computation (MPC) wallet to coordinate signing across multiple operator-controlled key shares for its cross-chain router. Each cross-chain operation required a signature from the MPC wallet, generated using ECDSA.

ECDSA security depends on a critical requirement: the per-signature random value k must be unique and unpredictable. If two signatures from the same key use the same k value, then anyone observing the two signatures can algebraically recover the private key using basic modular-arithmetic operations.

The Anyswap V3 router's MPC implementation generated repeated k-values in two of its BSC-side transactions. The attacker:

1. Monitored Anyswap's on-chain signature activity — possibly automated, possibly opportunistic.
2. Detected the duplicate k in two BSC transactions.
3. Computed the MPC wallet's private key using the standard ECDSA private-key recovery formula given two signatures with the same nonce.
4. Drained the V3 cross-chain liquidity pools for $7.9M before the team could rotate keys.

The exploit affected only the V3 router — Anyswap's V1 and V2 bridges used different infrastructure and were unaffected. The V3 LP providers absorbed the loss.

Aftermath

• Anyswap paused V3 and announced a 48-hour timelocked redeployment with corrected nonce generation.
• The team committed to compensating V3 LPs.
• Two years later, the rebranded Multichain would be drained for $125M in July 2023 under entirely different (and more suspicious) circumstances.

Why it matters

Anyswap's July 2021 incident is the textbook case for why cryptographic primitives must be implemented with the rigour they require. ECDSA's nonce-reuse vulnerability has been documented since the algorithm was first published; the failure mode is so well-known that automated bots monitor public blockchains for repeated k-values in order to back-calculate keys.

The structural lessons:

1. MPC wallets are not magically secure — they're as secure as the implementation of every primitive in the signing pipeline. A nonce-reuse bug in the MPC's signature aggregation defeats all the multi-party security guarantees the system was designed to provide.

2. Deterministic nonce generation per RFC 6979 has been the standard mitigation for over a decade. Any ECDSA implementation that does not use deterministic nonces — or worse, that re-uses nonces from a flawed PRNG — is one observation away from exposure.

3. Bridges concentrate cryptographic risk because they need to issue many signatures for many cross-chain operations, increasing the chance that any implementation flaw eventually surfaces. The Anyswap V3 router was using "prototype" code in production — a recurring pattern in early-bridge deployment that the post-2022 wave of bridge hacks (Ronin, Wormhole, BNB, Nomad) made universally recognized as inadequate.

The Anyswap → Multichain trajectory — from "exploit of the V3 router" in 2021 to "MPC keys lost after CEO arrest" in 2023 — is one of the cleaner case studies for how the same operational team can produce different categories of catastrophic failure on a multi-year timeline.