HARMONY-HORIZON BRIDGE HACK
FINE#8385
0x1552
September 3rd, 2022

Author(s): Royalty#3684 and hamzat_iii#5660

Editor(s): FINE#8385

Last updated: 3rd Sept 2022

Introduction

On Thursday night of the 23rd of June 2022, Harmony's blockchain bridge – Horizon, made an announcement that it was hacked and about $100 million in crypto funds were lost. This automatically became one of the biggest crypto hacks, at least in recent weeks.

The hack was announced via their Twitter account:

“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”

“Note this does not impact the trustless BTC bridge; its funds and assets stored on decentralized vaults are safe at this time. We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands-on deck as investigations continue. We will keep everyone up to date as we investigate this further and obtain more information.”

What does the hack signify? What is being done to identify and apprehend the culprit(s)? What is being done to prevent future hacks like this?

This article discusses these, but let’s start with what Harmony is!

Harmony Blockchain Network

Harmony is an open and fast blockchain. Their mainnet runs Ethereum applications with 2-second transaction finality and 100 times lower fees. They also secure bridges and offer cross-chain transfers with Ethereum, Binance, and 3 other chains.

So basically, Harmony formed Horizon Bridge, making Horizon part of the Harmony protocol project.

Now, what does the Horizon bridge do?

Horizon’s main purpose is to enable the transfer of assets from Ethereum (or Binance Smart Chain) to Harmony. Users holding assets on Ethereum (or Binance Smart Chain) can exchange them for corresponding assets on Harmony. Horizon also allows redemption of the exchanged assets back to the user's Ethereum (or Binance Smart Chain) account at any time. What this means is that there are thousands of wallets connected to Horizon bridge, Binance, ETH, KuCoin, OKX, and a wide range of blockchains.

The Hack

On the 23rd June 2022 4:13 pm (UTC+1), the Harmony team announced on their Twitter page the shock of a lifetime. There had been a hack on their system. At 5:30 a.m PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge. The estimated value of the attack was approximately $100 million USD.

Culprit address: 0x0d043128146654c7683fbf30ac98d7b2285ded00

On 25th June Harmony’s Founder, Stephen Tse updated the community regarding the current status of the investigation and provided some key insights since the start of the investigation of the Horizon bridge hack. Stephen’s update via Twitter at 8:15 pm PST.

“First and foremost, confidentiality is paramount to maintaining the integrity of this ongoing investigation. Specific details have been omitted to protect sensitive data in the community's interest. The incident response team has found no evidence of any breaches of our smart contract codes or vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure. Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and key management service, and no single machine had access to multiple plaintext keys.

The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH, and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets. At this time, the team has mitigated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident and continues to enhance our operations and infrastructure security. We want to remind our community that we are in the midst of an ongoing investigation and will continue to keep each and everyone one of you as up-to-date as we can. Thank you for your support as the investigation continues”.

What is being done?

Following the attack, multiple cyber security partners, exchange partners, and the FBI were notified and requested to assist with an investigation in identifying the culprit and methods to retrieve stolen assets. With those contacts established, Harmony announced the hack via Twitter (link below) with a description of what occurred and our next steps. Further, the team attempted communication with the hacker with an embedded message in a transaction to the culprit’s address (above) at approximately 5:30 PM PST. Ongoing investigations present a challenge of what information is allowed to be shared with the public, but Harmony continues to provide updates with the latest information.

What does the hack signify?

Blockchain or network hacks have become rather too common. The hack of the Harmony bridge follows a series of notable attacks on other blockchain bridges like the Ronin Network (play-to-earn game Axle Infinity’s Ethereum-based sidechain) which lost more than $600 million in March in an attack that U.S. officials linked to Lazarus (a North Korean state-backed hacking group). Similarly, Wormhole (a popular DeFi platform) was hacked in February and lost almost $325 million.

Blockchain bridges are an essential part of the cryptocurrency ecosystem and have made them prime targets for malicious attacks. These attacks continue to reinforce the need to prioritize security.

Till blockchain bridges get their houses in order, researchers warn, these hacks are going to continue happening!

REFERENCE

Subscribe to PeopleDAO
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.