Key points to remember
- Harmony’s cross-chain bridge, Horizon, has been mined for around $100 million in various tokens.
- The attacker has sold all the stolen funds for Ethereum, but has to launder them through a privacy protocol like Tornado Cash.
- The Harmony team would work with the Federal Bureau of Investigation and several cybersecurity companies to identify the attacker.
Share this article
The Harmony team has confirmed that the Horizon Bridge has been mined for around $100 million in various tokens.
Harmony Bridge hits $100 million
Harmony, an EVM-enabled Proof-of-Stake blockchain, had its Horizon cross-chain bridge exploited in a major security breach.
1/ The Harmony team has identified a theft that occurred this morning on the Horizon Bridge for an amount of approx. $100 million. We have started working with national authorities and forensic specialists to identify the culprit and recover the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The Harmony team confirmed in a Friday morning Twitter post that Horizon, the bridge that connects the Harmony network to BNB Chain and Ethereum, has been mined for around $100 million in various tokens. “The Harmony team has identified a theft that occurred this morning on the Horizon Bridge in the amount of approximately $100 million,” said a post from Harmony’s official Twitter account, adding that it was already working with the national authorities and forensic experts to identify the attacker and potentially recover the stolen funds.
According to on-chain data, the exploit began around 12:02 UTC on Thursday and lasted around 15 hours. The attacker executed 16 malicious transactions of varying sizes, ranging from 14,190 to 30 ETH before the Harmony team noticed the attack and shut down the Horizon Bridge to prevent further malicious transactions. After stealing around $100 million worth of various tokens including Frax, Frax Shares, Wrapped Ethereum, Bitcoin, Aave, Sushi, Tether and Binance USD, the attacker sent them to different wallets, exchanged them for Ethereum on the decentralized exchange Uniswap, then transferred the stolen funds back to the original wallet.
Uncommon for these types of exploits, the attacker has yet to attempt to anonymize the stolen funds via a privacy protocol like Tornado Cash. In a follow-up tweet, the Harmony team said it was working with the Federal Bureau of Investigation and several cybersecurity companies to track and identify the attacker. The involvement of US authorities means it is possible that the Office of Foreign Assets Control will add the attacker’s wallet to their sanctioned addresses. blacklistpreventing it from laundering stolen funds through Tornado Cash.
Although Harmony has yet to share specific details on how the exploit occurred, blockchain security experts have speculated that the attacker likely gained access to at least two of the exploits. five private keys of the multi-signature wallet controlling the Horizon Bridge smart contracts. This attack vector was already Underline in April by Ape Dev, the pseudonymous founder of crypto-focused venture capital firm Chainstride Capital. They said they investigated the Harmony Bridge on Ethereum and found that “if two of the four multisig signers are compromised, we’re going to see another 9-digit hack”, which appears to be precisely what happened yesterday .
Mudit Gupta, Chief Information Security Officer at Polygon, commented that it was not a “blockchain hack” but a “traditional hack”, and speculated that the attacker had probably compromised the servers hosting the keys of the multi-signature wallet of Horizon. “Once inside the server, they could access keys that were kept in the clear to sign legitimate transactions,” he said, adding that the exploit was “strangely similar” to the 551.8 million dollars from Axie Infinity. Ronin Network Exploit from March. In April, the US Treasury Department confirmed that North Korea’s state-sponsored cybercrime group known as the Lazarus Group was behind the Ronin network exploit.
Harmony said its Bitcoin Trustless Bridge was unaffected by the exploit and would continue to update the public with new information as it comes in.
Disclosure: At the time of writing this article, the author of this article owned ETH and several other cryptocurrencies.