This attack was used to steal a number of tokens, including wBTC, wETH, AAVE, FRAX, and various stablecoins.
On the 24th of June, the Horizon bridge connecting Harmony – a Layer-1 PoS blockchain built for native token ONE – to the Ethereum and Binance Chain ecosystem was hacked, leading to a loss of approximately $100 million in ETH. The exploit was announced on Twitter by the Harmony team, who stated that they are hunting for the culprit.
The Latest in a Series of Vulnerabilities
1/ The Harmony team has discovered a theft of around $100MM that took place on the Horizon bridge this morning. To find the offender and recover the stolen monies, we have started cooperating with national authorities and forensic experts.
Since then, the bridge has been closed to stop more casualties. The BTC bridge remains unaffected, according to the developers of Harmony.
The attack seems to have occurred over a period of 17 hours, beginning with a massive transaction costing 4,919 ETH and continuing with a number of lesser transactions valued between 911 and 0.0003 ETH. The final one happened after the bridge was closed.
The hack is the latest in a series of exploits affecting the crypto space, such as the Axie Infinity drain, Solana Wormhole, or, more recently, the (misplaced) Optimism fiasco. Another recent vulnerability, the Demonic exploit, which affected multiple crypto wallets, was patched before any damage could be done.
Exchanges have reportedly been notified, as well as “national authorities and forensic specialists.” Unfortunately for Harmony, the former may not be of much help in the event the identity of the hacker is discovered, depending on the jurisdiction that the hacker may be located in.
“To prohibit additional transactions, we have also alerted exchanges and shut down the Horizon bridge. As the investigations proceed, the crew is working nonstop. As we research this further and gather additional data, we’ll keep everyone informed.”
Prior Warning Issued By Independent Researchers
Curiously, a warning was issued by an independent researcher and blockchain dev Ape Dev back on the 2nd of April. In a series of tweets, Ape Dev called attention to the fact that the security of the Harmony Bridge was built around a multi-sig wallet with only four owners.
By convincing two of the owners to approve transactions worth up to $330 million, he anticipated that this could be used to carry out a very straightforward attack.
Brendan Eich, the CEO and co-founder of Brave, has publicly acknowledged his investigative skills.
It’s unclear if the Harmony attacker came up with the idea on their own or if Ape Dev’s suggestion inspired them. In either instance, the warning should have given Harmony engineers enough time to safeguard their systems because it was issued about three months before the terrible incident.
The security requirements of different blockchain-based platforms will undoubtedly be examined by third parties with greater regularity – and fairly so, as cyberattacks are becoming more and more common in the cryptocurrency industry.
