Harmony Protocol’s Horizon bridge exploited, $100M stolen
Harmony has suspended the operations of the exploited bridge and has informed the authorities about the hack.
Layer-1 blockchain network Harmony Protocol (ONE) said on June 24 that a hacker exploited its horizon bridge, and roughly $100 million worth of tokens on the bridge were stolen.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The attack is one of the biggest in recent weeks. Harmony said it has started “working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
The team added that the exploit did not affect the trustless Bitcoin (BTC) Bridge, and assets stored in decentralized vaults remain safe.
The Horizon bridge connects the Harmony protocol with other networks such as Ethereum and Binance Smart Chain, allowing the transfers of cryptocurrencies, stablecoins, and NFTs between the Harmony blockchain and the network.
Harmony was warned of the vulnerability
In April, blockchain developer and researcher Ape Dev warned about Harmony’s weak security. They predicted that a malicious party could exploit it in an attack that could lead to losses of up to $330 million.
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
According to available information, the attacker moved the funds in 12 transactions using three attack addresses. As a result, they could move funds to tokens such as ETH, WBTC, USDT, AAVE, WETH, FXS, SUSHI, FRAX, DAI, BUSD, and AAG.
The attacker was able to gain control of the MultiSigWallet and confirmed the transactions to transfer the stolen funds directly.
Harmony Protocol's Horizon bridge was hacked and $100 million were drained earlier today.
The bridge was essentially a 2 of 5 multisig. If any 2 addresses told it to transfer funds to someone, it did.
The hacker compromised 2 addresses and made them drain the money. 🧵👇 pic.twitter.com/hv1JWDy9WQ
— Mudit Gupta (@Mudit__Gupta) June 24, 2022
While the hacker’s identity remains unknown, the fact that the Harmony team could have prevented the attack will raise questions about its security amongst the crypto community.
Most of the stolen tokens were still in the attacker’s wallet as of press time. However, the attacker has started converting the stolen funds into ETH through Uniswap.
The @harmonyprotocol bridge exploiter 0x0d04…ed00 stole 11 different erc-20 tokens and 13,100 Ether from the bridge.
They then transferred other erc-20 tokens to two other wallets to swap via uniswap and others dexs back to eth, and finally it back to 0x0d04…ed00. pic.twitter.com/HY5JepVrPu
— MistTrack (@MistTrack_io) June 24, 2022