- Harmony’s cross-chain bridge Horizon has been exploited for around $100 million in various tokens.
- The attacker has sold all stolen funds for Ethereum, but is to launder them through a privacy-protocol like Tornado Cash.
- The Harmony team is reportedly working with the Federal Bureau of Investigation and multiple cyber security firms to identify the attacker.
Share this article
The Harmony team has confirmed the Horizon bridge has been exploited for approximately $100 million in various tokens.
Harmony Bridge Hit for $100M
Harmony, an EVM-compatible Proof-of-Stake blockchain, has had its Horizon cross-chain bridge exploited in a major security breach.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The Harmony team confirmed in a Friday morning Twitter post that Horizon, the bridge that connects the Harmony network to BNB Chain and Ethereum, had been exploited for around $100 million in various tokens. “The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM,” a post from the official Harmony Twitter account said, adding that it’s already working with national authorities and forensic experts to identify the attacker and potentially retrieve the stolen funds.
According to on-chain data, the exploit began at around 12:02 UTC on Thursday and lasted for about 15 hours. The attacker executed 16 malicious transactions of various sizes, ranging from 14,190 to 30 ETH before the Harmony team noticed the attack and halted the Horizon bridge to prevent further malicious transactions. After stealing approximately $100 million worth of various tokens, including Frax, Frax Shares, wrapped Ethereum, wrapped Bitcoin, Aave, Sushi, Tether, and Binance USD, the attacker sent them to different wallets, swapped them for Ethereum on the decentralized exchange Uniswap, and then transferred the stolen funds back to the originating wallet.
Uncommon for these types of exploits, the attacker has not yet tried to anonymize the stolen funds through a privacy-protocol like Tornado Cash. In a follow-up Tweet, the Harmony team stated that it’s working with the Federal Bureau of Investigation and multiple cyber security firms to track and identify the attacker. The involvement from U.S. authorities means there is a possibility that the Office of Foreign Assets Control will add the attacker’s wallet to its sanctioned addresses blacklist, effectively disabling it from laundering the stolen funds through Tornado Cash.
While Harmony hasn’t yet shared specific details about how the exploit occurred, blockchain security experts have speculated that the attacker likely gained access to at least two of the five private keys of the multi-signature wallet controlling the Horizon bridge smart contracts. This attack vector was already highlighted in April by Ape Dev, the pseudonymous founder of the crypto-focused venture firm Chainstride Capital. They said they had investigated the Harmony bridge on Ethereum and found that “if two of the four multisig signers are compromised, we’re going to see another 9 figure hack,” which appears to be precisely what happened yesterday.
Mudit Gupta, the chief information security officer at Polygon, commented that this was not a “blockchain hack” but a “traditional hack,” and speculated that the attacker likely compromised the servers hosting the keys of Horizon’s multi-signature wallet. “Once inside the server, they could access the keys that were kept in plaintext for signing legit transactions,” he said, adding that the exploit is “eerily similar” to Axie Infinity’s $551.8-million Ronin Network exploit from March. In April, the U.S. Treasury Department confirmed that North Korea’s state-sponsored cybercrime group known as Lazarus Group was behind the Ronin Network exploit.
Harmony stated that its trustless Bitcoin bridge was unaffected by the exploit and that it would continue to update the public with new information as it comes in.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.