Breaking: Harmony’s Horizon Bridge hacked for $100M

Published at: June 24, 2022

The Horizon Bridge to the Harmony layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).

The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.

Starting at about 7:08 am EST until 7:26 am EST, 11 transactions were made from the bridge for various tokens. They have since begun sending tokens to a different wallet to swap for ETH on the Uniswap decentralized exchange (DEX), then sending the ETH back to the original wallet.

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.More

— Harmony (@harmonyprotocol) June 23, 2022

So far, Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC) and USD Coin (USDC) have been stolen from the bridge through this exploit.

The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Harmony, the operator of the bridge, announced late on Thursday that the bridge has been halted. It said the BTC bridge and its assets have not been affected by the attack.

The Harmony team also said it was working with “national authorities and forensic specialists” to determine who was responsible. A post-mortem is sure to follow.

The developers and the co-founder of Harmony, Nick White, did not respond to requests for comment. Harmony is a layer-1 blockchain using proof-of-stake (PoS) consensus. Its native token is ONE.

Concerns have previously been expressed as to the soundness of Horizon’s multisig wallet on Ethereum, which only required two out of the four signees to drain the funds. A founder of Chainstride Capital crypto-focused venture fund Ape Dev noted on Twitter on April 2 that the low number of required signers would leave the bridge open for “another 9 figure hack.”

The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf

— Ape Dev (@_apedev) April 1, 2022

Ape Dev’s prediction appears to have become a reality as the bridge is now down $100 million in assets.

He is far from the only developer in crypto to have qualms with the security of token bridges.

Vitalik Buterin discussed the issues with token bridges in a Reddit post this January. He posited that when bridges get exploited, it threatens the liquidity of each chain affected. He added that as the amount of token bridges increases, the threat of a 51% attack on one chain could present a greater contagion risk to others.

Since his prediction, Meter’s token bridge, Axie Inifinity’s Ronin Bridge and the Wormhole Bridge were each exploited for nearly a combined $1 billion.

The national authorities and forensic specialists should be investigating *you* to figure out what kind of broken security practices allowed this "theft" to happen.

— Chris Blec (@ChrisBlec) June 24, 2022

Multisignatures are an ongoing security issue in attacks. The Ronin Bridge was secured by nine validators, only five of which were required to verify a transaction. The attacker took control of the required five validators and extracted over $600 million in assets.

Related: Chainalysis launches reporting service for businesses targeted in crypto-related cyberattacks

The market does not yet appear to have responded to the attack as prices of all the coins and tokens in question have not made a significant move. However, ONE has dropped 7.4% over the past 24 hours, with most of the fall coming in the past 5 hours. It is trading at $0.024 according to CoinGecko.

Tags
Related Posts
Decentralized blockchain aims for Ethereum and DEX compatibility with new wrapped token
Free TON is a multi-blockchain platform that can handle thousands of transactions per second thanks to its dynamic sharding mechanisms, which create new shards as needed. As a result, it is the fastest blockchain available, according to developers. Despite that, the Free TON blockchain is still in the early stages of attracting DApp developers to its platform. Even with its scalability, an important task at this stage is to bring more liquidity to the platform. To do that, developers have announced the launch of Wrapped TON, a tradable TIP-3 token built on its native TON Crystal token. With the ability …
Decentralization / April 21, 2021
Bullishness for Bitcoin continues despite its struggle to reclaim $60,000
Bitcoin (BTC) continued to face strong resistance at the $60,000 level on March 19 as bulls spent the day climbing back from an early morning drop which briefly pushed BTC into the sub-$56,500 range. Data from Cointelegraph Markets and TradingView shows that after being rejected at the $60,000 level on March 18, the price of Bitcoin hit a low of $56,268 in the early hours on Friday before dip buyers returned to help lift the price back above $58,500. Key Bitcoin price metrics show that despite the struggles faced in order to breakout past $60,000, top-traders are growing increasingly bullish …
Blockchain / March 19, 2021
Reddit to reportedly tokenize karma points and onboard 500M new users
American social media giant, Reddit, may soon convert users’ karma points into Ethereum-based (ERC-20) tokens and onboard 500 million new crypto users in the process, according to a newly hired Reddit engineer. A series of tweets made by Reddit engineer, Rahul, highlights Reddit’s efforts to improve user interaction through various cryptocurrency initiatives. As Cointelegraph reported in July 2021, the platform had launched its own layer-2 rollup using Arbitrum technology for its rewards points, named Community Points. According to the website: “Your Community Points exist on the blockchain, independently of Reddit, where they can only be controlled by you (just like …
Adoption / Nov. 6, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Decentralized exchange Uniswap v3 gets 'Warp'ed' onto StarkNet
Ethereum development company Nethermind has announced it has “transpiled and compiled” decentralized exchange (DEX) Uniswap v3 on “Warp” — a project designed to allow Ethereum users to swap tokens on the more scalable Ethereum layer-2 network StarkNet. The milestone was announced by team lead Jorik Schellekens in an Oct. 9 Medium post. Nethermind describes Warp as a “Solidity to Cairo Transpiler” which enables Ethereum-based projects written in Solidity to transition its codebase onto StarkNet, allowing them to capitalize on cheaper fees. Transpiling is the process of taking source code written in one programming language and transforming it into another language …
Adoption / Oct. 10, 2022