The Horizon bridge to Harmony’s layer 1 blockchain has been exploited to get $100 million worth of altcoins being exchanged for Ether (ETH).
The hack may vindicate concerns previously raised by the community about the robustness of the two-out-of-four multisig that supposedly secures the bridge.
From 7:08 a.m. to 7:26 a.m. ET, 11 transactions were made from the bridge for various tokens. They have since started sending tokens to a different wallet to exchange for ETH on the Uniswap decentralized exchange (DEX), and then sending the ETH back to the original wallet.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
More
— Harmony (@harmonyprotocol) June 23, 2022
Harmony’s team has identified a theft that occurred this morning on the Horizont Bridge totaling approximately $100 million. We have started working with national authorities and forensic specialists to identify the culprit and recover the stolen funds.
So far, Frax (FRAX), Wrapped Ether (WETH). Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (DAI), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) have all been stolen from the bridge via this exploit.
The Horizon bridge makes it easy to transfer tokens between Harmony and the Ethereum network, Binance chain, and Bitcoin. Harmony, the bridge operator, ad late on June 23 that the bridge has been stopped. He said that the BTC bridge and its assets have not been affected by the attack.
Harmony’s team also said it was working with “national authorities and forensic specialists” to determine who is responsible. An autopsy will surely be performed.
The developers and Harmony co-founder Nick White did not respond to requests for comment. Harmony is a layer 1 blockchain that uses proof-of-stake consensus. Its native token is ONE.
Concerns have previously been raised about the robustness of Horizon’s multisig wallet on Ethereum, which only required two of four signers to drain funds. One of the founders of cryptocurrency-focused venture fund Chainstride Capital, Ape Dev, he pointed on Twitter on April 2 that the low number of required signers would leave the bridge open for “another 9-figure hack.”
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (ie drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
The bridge’s security is currently based on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of whom must consent to execute an arbitrary transaction (ie drain the $330 million).
Ape Dev’s prediction appears to have come true, as the bridge is down $100 million in assets.
He is far from the only crypto developer who has qualms about the security of bridge tokens.
Vitalik Buterin discussed the issues with token bridges in a Reddit post this January. He stated that when the bridges are exploited, the liquidity of each affected chain is endangered. He added that as the number of token bridges increases, the threat of a 51% attack on one chain could present a higher risk of contagion to others.
Since his prediction, the Meter Token Bridge, the Ronin Bridge of Axie Infinity, and the Wormhole Bridge have each been mined for a combined value of nearly a billion dollars.
The national authorities and forensic specialists should be investigating *you* to figure out what kind of broken security practices allowed this “theft” to happen.
— Chris Blec (@ChrisBlec) June 24, 2022
National authorities and forensic specialists should investigate you to find out what kind of breach of security practices allowed this “theft” to take place.
Multisigs are a constant security issue in attacks. Ronin’s bridge was secured by nine validators, only five of which were needed to verify a transaction. The attacker took control of the five necessary validators and mined more than $600 million in assets.
The market does not seem to have responded to the attack yet, as the prices of all the coins and tokens in question have not made a significant movement. However, ONE has fallen 7.4% in the last 24 hours, with most of the drop occurring in the last 5 hours. It is trading at $0.024 according to CoinGecko.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.