Harmony Loses $100m During Today’s Horizon Bridge Hack
Securities.io is committed to rigorous editorial standards. We may receive compensation when you click on links to products we review. Please view our affiliate disclosure. Trading involves risk which may result in the loss of capital.
Harmony, a blockchain platform designed to facilitate the creation and use of dApps, announced early this morning that it suffered a hacking attack. According to the team’s announcement, the attacker targeted the project’s Horizon bridge, stealing approximately $100 million (1,148.63 ETH) as a result.
Harmony already started the investigation
While Harmony reported the incident soon after it happened, its team reacted quickly, and they first notified the proper authorities. In the initial announcement, Harmony noted that it already started the investigation, working with national authorities as well as forensic specialists in order to try and identify the culprit, and, if possible, retrieve the stolen funds.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Following the initial announcement, Harmony managed to identify the 0x address that the attacker used, which was also shared in the next announcement.
2/ 0x address of the culprit below:https://t.co/VXO7s6FpIy
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The address balance currently sits at 85,867.25322706327167346 Ether.
Soon after sharing the address, Harmony noted that the incident did not impact the trustless BTC bridge. The funds stored on this bridge, as well as all the assets stored within decentralized vaults remain untouched, and the team said that they are safe at this time.
Furthermore, Harmony’s team also notified the exchanges of the incident, and it halted the Horizon bridge for the time being, meaning that further transactions will not be possible until the team identifies and patches the vulnerability. The project added that “The team is all hands on deck as investigation continues.”
However, the project promised that it will continue to keep the community updated as new results of the investigation become apparent.
Community’s token bridge concerns proved true
The hack may vindicate certain concerns that the community raised in the past, regarding the robustness of the two of four multisig that are securing the bridge. One mention of this came from Ape Dev, the founder of Chainstride Capital’s crypto-focused venture fund. Ape Dev stated back in early April that the low number of required signers will leave the bridge open for an attack.
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
Ethereum’s Vitalik Buterin is another example, as he discussed the problems that token bridges are facing even earlier, back in January. Buterin noted that the bridges have a high likelihood of getting exploited, which threatens the liquidity of all affected chains.
My argument for why the future will be *multi-chain*, but it will not be *cross-chain*: there are fundamental limits to the security of bridges that hop across multiple "zones of sovereignty". From https://t.co/3g1GUvuA3A: pic.twitter.com/tEYz8vb59b
— vitalik.eth (@VitalikButerin) January 7, 2022
The exploit has, so far, allowed the hacker to steal numerous tokens, including Frax (FRAX), Wrapped Ether (WETH), Sushi (SUSHI), Aave (AAVE), Binance USD (BUSD), Frax Share (FXS), Dai (DAI), AAG (AAG), Wrapped Bitcoin (WBTC), USD Coin (USDC), and Tether (USDT).
Starting at 7:08 AM ET and ending at 7:26 am, the attacker managed to make 11 transactions for the mentioned cryptocurrencies. The tokens were sent to different wallets to swap for ETH on Ethereum-based DEX, Uniswap, and then Ethereum was sent back to the original wallet.
The bridge currently enables seamless transfers between Harmony and several blockchains, including Ethereum, Bitcoin, and Binance Chain, with Harmony being the Bridge’s operator.
To learn more visit our Investing in Harmony guide.