Hacker exploits Harmony blockchain bridge, plunders $ 100 million in crypto – TechCrunch
A hacker has exploited a vulnerability to steal $ 100 million from Harmony’s Horizon Bridge, which allows users to transfer cryptocurrencies from one blockchain to another.
Harmony, the US crypto startup behind Horizon, said in a blog post on Friday that it had been notified of a “malicious attack” on its proprietary Horizon blockchain bridge on Thursday. Blockchain bridges, also known as cross-chain bridges, facilitate communication between different blockchains and allow users to send assets from one chain to another. Using Harmony’s Horizon bridge, for example, users can move assets – including tokens, stack coins and NFTs – between Ethereum, Binance Smart Chain and Harmony blockchains.
Harmony said the culprit behind the attack – as the company pointed out in a tweet – stole close to $ 100 million in cryptocurrency from the blockchain bridge.
According to the blockchain analysis company Elliptic, a number of cryptocurrencies were seized, including Ethereum, Binance Coin, Tether, USD Coin and Dai. Elliptic added that the stolen tokens have now been switched to Ethereum using decentralized exchanges – a “common set technique with these hacks,” it said.
Harmony said in its blog post that immediately after the attack, several cyber security partners, exchange partners and the FBI were alerted and asked to help with an investigation to identify the culprit and retrieve the stolen assets. “Furthermore, the team has tried to communicate with the hacker with a built-in message in a transaction to the culprit’s address,” it said in the blog post.
Harmony added that they had stopped the Horizon Bridge to prevent further transactions. Harmony’s bridge for bitcoin was unaffected.
“This incident is a humble and unfortunate reminder of how our work is crucial to the future of this space, and how much of our work lies ahead of us,” the blog post said. “Ongoing surveys pose a challenge for what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.”
Harmony has not disclosed exactly how the funds were stolen and did not comment when contacted by TechCrunch.
However, an investor which goes after the handle Ape Dev had concerns about the safety of the Horizon Bridge as far back as April. The researcher warned on Twitter that the security of the Horizon Bridge was hung on a multi-signature – or “multisig” – wallet that only required two signatures to start transactions. Multisig wallets require the consent of several parties to ensure extra security on transactions.
“So all in all, if two of the four multisig signers are compromised, we’ll see another nine-digit hack,” wrote Ape Dev, founder of the cryptocurrency fund Chainstride Capital, on April 1. Given all that has been going on lately, it would be interesting to hear some details from @harmonyprotocol on how these [externally owned accounts] is secured. “
The Harmony bridge hack follows a series of notable attacks on other blockchain bridges. Ronin Network, an Ethereum-based side chain created for the popular play-to-earn game Axie Infinity, lost more than $ 600 million in March, an attack that US officials have since linked to North Korean state-sponsored hacker group Lazarus. Similarly, the decentralized financial platform Wormhole lost nearly $ 325 million to hackers in February after exploiting a security breach in the smart contract code.
