The Harmony team has confirmed that the Horizon bridge has been exploited for approximately $100 million in various tokens.
Harmony Bridge Hit for $100M
Harmony, an EVM-compatible Proof-of-Stake blockchain, had its Horizon cross-chain bridge compromised in a major security breach.
In a Friday morning tweet, the Harmony team announced that Horizon, the bridge connecting the Harmony network to BNB Chain and Ethereum, had been attacked for about $100 million in various tokens. “The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM,” a post from the official Harmony Twitter account said, adding that it’s already working with national authorities and forensic experts to track down the attacker and potentially retrieve the stolen funds.
According to on-chain data, the exploit began around 12:02 UTC on Thursday and lasted approximately 15 hours. The attacker carried out 16 malicious transactions ranging in size from 14,190 to 30 ETH before the Harmony team detected the attack and shut down the Horizon bridge to prevent further malicious transactions. After stealing approximately $100 million in tokens, including Frax, Frax Shares, wrapped Ethereum, wrapped Bitcoin, Aave, Sushi, Tether, and Binance USD, the attacker sent them to different wallets, swapped them for Ethereum on the decentralised exchange Uniswap, and then transferred the stolen funds back to the originating wallet.
The attacker has not yet attempted to anonymise the stolen funds using a privacy protocol such as Tornado Cash, which is unusual for these types of exploits. In a subsequent Tweet, the Harmony team stated that it is collaborating with the Federal Bureau of Investigation and multiple cyber security firms to track down and identify the attacker. Because of the involvement of US authorities, there is a chance that the Office of Foreign Assets Control will add the attacker’s wallet to its sanctioned addresses blacklist, effectively preventing it from laundering the stolen funds through Tornado Cash.
While Harmony has not yet disclosed specifics about how the exploit occurred, blockchain security experts believe the attacker gained access to at least two of the five private keys of the multi-signature wallet controlling the Horizon bridge smart contracts. Ape Dev, the pseudonymous founder of crypto-focused venture firm Chainstride Capital, first mentioned this attack vector in April. They claimed to have investigated the Harmony bridge on Ethereum and discovered that “if two of the four multisig signers are compromised, we’re going to see another 9 figure hack,” which appears to be exactly what happened yesterday.
Mudit Gupta, Polygon’s chief information security officer, stated that this was not a “blockchain hack” but rather a “traditional hack” and speculated that the attacker most likely compromised the servers hosting the keys of Horizon’s multi-signature wallet. “Once inside the server, they could access the keys that were kept in plaintext for signing legitimate transactions,” he said, adding that the exploit is “eerily similar” to Axie Infinity’s $551.8-million Ronin Network exploit from March. The US Treasury Department confirmed in April that the Ronin Network exploit was carried out by North Korea’s state-sponsored cybercrime group, Lazarus Group.
Harmony stated that the exploit had no effect on its trustless Bitcoin bridge and that it would continue to update the public with new information as it comes in.
