The Harmony Protocol hack is the latest multimillion-dollar theft targeting DeFi protocols. A hacker has exploited a vulnerability to steal $100 million worth of cryptocurrency from Harmony’s Horizon Bridge. On the 24th of June, the blockchain company identified the attack and informed its followers on Twitter.
Harmony, the U.S. crypto startup behind Horizon, was notified of a “malicious attack” on its proprietary Horizon blockchain bridge on Thursday and posted the news in their latest blog post. Harmony is a layer-1 proof-of-stake blockchain. The Harmony mainnet was created to revolutionise block creation.
Blockchain bridges, also called cross-chain bridges, facilitate communication between blockchains and allow users to send capital from one chain to another. Using Harmony’s Horizon bridge, users can move their assets — including tokens, stablecoins, and NFTs — between Ethereum, Binance Smart Chain, and Harmony blockchains.
The $100 million crypto hack in the making
- The Harmony development team announced that $100 million was syphoned from the Horizon bridge. The organisation said that it was working with national authorities and forensic blockchain specialists.
- On the next day after the exploit, Polygon’s chief information security officer, Mudit Gupta, said that the bridge was a 2 of 5 multi-signature scheme, meaning that anyone with two addresses could have taken control of it.
- While the details aren’t public, Gupta summarised what he believes happened during the hack. He explained, “The hacker compromised 2 addresses and made them drain the money.” “The two addresses were likely hot wallets used to listen for and process legit bridging transactions,” Gupta said.
- He further stated, “Once inside the server, they could access the keys that were kept in plaintext for signing legit transactions. The server exploit was likely either an SSH key compromise or social engineering. This is eerily similar to how Ronin was hacked.”
- He then added, “This was not a ‘Blockchain Hack.’ It was a ‘Traditional Hack.’ I’ve been begging protocols to focus on traditional security too alongside blockchain security for months now.”
The bounty is rejected
Hackers made 11 transactions from the bridge for various tokens. The hackers have since begun sending tokens to a different wallet to swap for ETH on the Uniswap decentralised exchange (DEX), then sending the ETH back to the original wallet. Harmony said in its blog post that immediately following the attack, multiple cybersecurity partners, exchange partners, and the FBI were notified and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. “Further, the team has attempted communication with the hacker with an embedded message in a transaction to the culprit’s address,” the blog post read. On Saturday, the team behind Harmony protocol offered a $1 million reward for sharing exploit information and the return of $100 million Horizon bridge funds; they also said on Twitter, “Harmony will advocate for no criminal charges when funds are returned.”
However, the exploiter denied the offer as a total of 18,036.3 Ether, worth about $21 million, was moved out of the Horizon Bridge exploiter’s primary wallet to three different addresses in a single transaction over the next 10 hours. Then the hacker transferred the funds to Tornado Cash Ethereum Mixing. Mixing ETH is a privacy tool designed to obfuscate the transaction path of coins so they cannot be traced back to previous transactions. Tornado Cash supports mixing a maximum of 100 ETH at a time, which means large sums can easily take several hours to mix.
After getting informed about these transactions by PeckShieldAlert, Harmony’s Twitter account said on Monday that the team is working with “two highly reputable blockchain tracing and analysis partners,” along with the United State Federal Bureau of Investigation, to examine the hack.
The rise of bridge hacks
The Harmony bridge hack follows a series of special attacks on other blockchain bridges. The Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, lost more than $600 million in March.
Harmony added that it had stopped the Horizon bridge to prevent further transactions. Harmony’s bridge for bitcoin was unaffected.
“This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us,” the blog post said. “Ongoing investigations present a challenge of what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.”