The current DeFiLlama Multipli adapter does not compute TVL from on-chain balances. It calls Multipli's own API and returns data.payload[api.chain] for each chain. The API payload includes large self-reported balances, including protocol-issued tokens and off-chain/custodial claims that are not backed by observed on-chain assets at the reported addresses.
This is a TVL/adapter-integrity issue, not a confirmed external money-moving exploit.
Confirmed observations
Adapter problem
Observed source URL: https://raw.githubusercontent.com/DefiLlama/DefiLlama-Adapters/main/projects/multipli/index.js
Observed adapter logic:
const axios = require('axios')
const API = "https://api.multipli.fi/multipli/v1/external-aggregator/defillama/tvl/"
const tvl = async (api) => {
const { data } = await axios.get(API)
return data.payload[api.chain]
}This means DeFiLlama currently trusts https://api.multipli.fi/multipli/v1/external-aggregator/defillama/tvl/ rather than deriving balances from chain state.
Selected API payload values observed
| Chain |
API-reported asset |
Raw API amount |
Human amount, if 6 decimals |
| Base |
base:0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009 |
110010150000000 |
110,010,150 |
| Ethereum |
ethereum:0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f4 |
125000010000000 |
125,000,010 |
| Ethereum |
ethereum:0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 |
34336717542621 |
34,336,717.542621 USDC |
| Ethereum |
ethereum:0xdAC17F958D2ee523a2206206994597C13D831ec7 |
15273129519386 |
15,273,129.519386 USDT |
| Arbitrum |
arbitrum:0xA39986F96B80d04e8d7AeAaF47175F47C23FD0f4 |
25000000000000 |
25,000,000 |
| Pharos |
pharos:0xA39986F96B80d04e8d7AeAaF47175F47C23FD0f4 |
30000000000000 |
30,000,000 |
Read-only RPC observations
Observed through read-only eth_call/eth_getBalance against Base, Ethereum, Avalanche, and Monad.
Base
| Address |
Role |
Observed balance / call result |
0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009 |
API-reported Base token / rwaUSDi |
totalSupply() = 110,010,150 units, 6 decimals |
0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009 |
Same token contract |
USDC balance = 0; native balance = 0 wei |
0xed5AA9b6eb62298492c7246FE724ee088A760155 |
afiRwaVault |
asset() = 0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009 |
0xed5AA9b6eb62298492c7246FE724ee088A760155 |
afiRwaVault |
totalAssets() = 100,010,150 units of the same protocol token |
0xed5AA9b6eb62298492c7246FE724ee088A760155 |
afiRwaVault |
rwaUSDi balance = 100,010,150 units; USDC balance = 0; native balance = 0 wei |
Interpretation: the Base API TVL is dominated by a protocol token whose vault asset() is the same protocol token, not observed external collateral.
Ethereum
| Address |
Role |
Observed balance / call result |
0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f4 |
API-reported Ethereum rwaUSDi |
totalSupply() = 125,000,010 units, 6 decimals |
0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f4 |
Same token contract |
USDC = 0; USDT = 0; WBTC = 0; native = 0 wei |
0xfa5b3614A7C8265E3e8c4f56bC123203BD155ff2 |
Ethereum treasury checked |
USDC = 9.000000; USDT = 0; WBTC = 0; native = 96 wei |
Interpretation: the observed Ethereum rwaUSDi contract does not custody the USDC/USDT/WBTC amounts reported in the API payload.
Avalanche and Monad real-fund context
These balances show that some real vault funds exist, but at tiny scale relative to the API-reported TVL.
| Chain |
Address |
Role |
Observed balance / call result |
| Avalanche |
0xCF0Eb4ac018C06a16ED5c63484823C7805e7599D |
xUSDC vault |
USDC balance = 2,501.375940; asset() = USDC; totalAssets() = 13,244.821433 |
| Avalanche |
0x01e676EAA0C9780A88395c651349Cf08Fe52368e |
xUSDC fund manager |
USDC balance = 10.132299 |
| Avalanche |
0x468BbabAEf852C134b584382C0fef83F2954Cd5c |
xBTC.b vault |
BTC.b balance = 0; native = 0 wei |
| Avalanche |
0x62c2181618833b202e68b5addc4279542978Ef47 |
xBTC.b fund manager |
BTC.b balance = 0.00010663 |
| Monad |
0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009 |
xUSDC vault / reported token address |
USDC balance = 4,582.140837; asset() = Monad USDC 0x754704bc059f8c67012fed69bc8a327a5aafb603; totalAssets() = 5,006.085630 |
| Monad |
0xE1824bF952bB2E8414d12de8A9fc2cBc666D6758 |
fund manager |
USDC balance = 700.770905 |
Risk classification
Confirmed: DeFiLlama TVL integrity issue / self-reported adapter issue.
Confirmed: reported TVL includes protocol-issued tokens and API-only claims not matched by observed collateral at the checked contracts.
Confirmed: small real vault balances exist on Avalanche and Monad, so the protocol is not purely empty; however, observed on-chain funds are orders of magnitude below the API-reported TVL.
Not proven: unauthorized external withdrawal, mint, redeem, bridge release, vault share theft, liquidation abuse, or user-level execution of value-moving admin logic.
Not proven: that the protocol has stolen funds or that all API-reported USDC/USDT/WBTC is nonexistent. The unobserved amounts may be off-chain/custodial or in contracts not identified here. They should not be counted as DeFiLlama TVL unless independently verifiable on-chain.
Requested remediation
- Disable the current Multipli adapter or mark it as misreported until TVL can be computed from on-chain balances.
- Replace the API-trusting implementation with explicit on-chain balance accounting per vault and per chain.
- Exclude protocol-issued/self-minted assets such as rwaUSDi from TVL unless independently backed by verifiable, non-recursive collateral.
- Exclude off-chain/custodial strategy balances unless DeFiLlama policy permits them and the proof source is independently auditable.
- Require Multipli to provide a complete list of vault/fund-manager/custody addresses for each chain before re-enabling full TVL.
The current DeFiLlama Multipli adapter does not compute TVL from on-chain balances. It calls Multipli's own API and returns
data.payload[api.chain]for each chain. The API payload includes large self-reported balances, including protocol-issued tokens and off-chain/custodial claims that are not backed by observed on-chain assets at the reported addresses.This is a TVL/adapter-integrity issue, not a confirmed external money-moving exploit.
Confirmed observations
Adapter problem
Observed source URL:
https://raw.githubusercontent.com/DefiLlama/DefiLlama-Adapters/main/projects/multipli/index.jsObserved adapter logic:
This means DeFiLlama currently trusts
https://api.multipli.fi/multipli/v1/external-aggregator/defillama/tvl/rather than deriving balances from chain state.Selected API payload values observed
base:0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009110010150000000ethereum:0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f4125000010000000ethereum:0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB4834336717542621ethereum:0xdAC17F958D2ee523a2206206994597C13D831ec715273129519386arbitrum:0xA39986F96B80d04e8d7AeAaF47175F47C23FD0f425000000000000pharos:0xA39986F96B80d04e8d7AeAaF47175F47C23FD0f430000000000000Read-only RPC observations
Observed through read-only
eth_call/eth_getBalanceagainst Base, Ethereum, Avalanche, and Monad.Base
0xd74FB32112b1eF5b4C428Fead8dA8d85A0019009totalSupply()= 110,010,150 units, 6 decimals0xd74FB32112b1eF5b4C428Fead8dA8d85A00190090xed5AA9b6eb62298492c7246FE724ee088A760155asset()=0xd74FB32112b1eF5b4C428Fead8dA8d85A00190090xed5AA9b6eb62298492c7246FE724ee088A760155totalAssets()= 100,010,150 units of the same protocol token0xed5AA9b6eb62298492c7246FE724ee088A760155Interpretation: the Base API TVL is dominated by a protocol token whose vault
asset()is the same protocol token, not observed external collateral.Ethereum
0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f4totalSupply()= 125,000,010 units, 6 decimals0xa39986f96b80d04e8d7aeaaf47175f47c23fd0f40xfa5b3614A7C8265E3e8c4f56bC123203BD155ff2Interpretation: the observed Ethereum rwaUSDi contract does not custody the USDC/USDT/WBTC amounts reported in the API payload.
Avalanche and Monad real-fund context
These balances show that some real vault funds exist, but at tiny scale relative to the API-reported TVL.
0xCF0Eb4ac018C06a16ED5c63484823C7805e7599Dasset()= USDC;totalAssets()= 13,244.8214330x01e676EAA0C9780A88395c651349Cf08Fe52368e0x468BbabAEf852C134b584382C0fef83F2954Cd5c0x62c2181618833b202e68b5addc4279542978Ef470xd74FB32112b1eF5b4C428Fead8dA8d85A0019009asset()= Monad USDC0x754704bc059f8c67012fed69bc8a327a5aafb603;totalAssets()= 5,006.0856300xE1824bF952bB2E8414d12de8A9fc2cBc666D6758Risk classification
Confirmed: DeFiLlama TVL integrity issue / self-reported adapter issue.
Confirmed: reported TVL includes protocol-issued tokens and API-only claims not matched by observed collateral at the checked contracts.
Confirmed: small real vault balances exist on Avalanche and Monad, so the protocol is not purely empty; however, observed on-chain funds are orders of magnitude below the API-reported TVL.
Not proven: unauthorized external withdrawal, mint, redeem, bridge release, vault share theft, liquidation abuse, or user-level execution of value-moving admin logic.
Not proven: that the protocol has stolen funds or that all API-reported USDC/USDT/WBTC is nonexistent. The unobserved amounts may be off-chain/custodial or in contracts not identified here. They should not be counted as DeFiLlama TVL unless independently verifiable on-chain.
Requested remediation