The root cause of the massive hack that stole $100 million from Harmony last Wednesday may have been discovered.
Summary
Harmony suffers a $100 million hack
Last Wednesday, Harmony, a layer 1 blockchain company launched in 2019 by Stephen Tse, suffered a $100 million theft due to a hack.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
More 🧵
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Harmony is aiming to solve the persistent “blockchain trilemma” by balancing scalability with security and decentralization.
In a tweet, the company disclosed this attack and that it is working with the FBI, relevant authorities, and cyber security companies to try to recover the funds stolen from the attack.
The following day, Polygon’s chief information security officer, Mudit Gupta, said the hacker would have exploited the ability to compromise the 2-in-5 multi-signature scheme on which the Harmony blockchain bridge is based.
Gupta explained:
“The hacker compromised 2 addresses and made them drain the money. The two addresses were likely hot wallets used to listen for and process legit bridging transactions”.
How do bridges that enable cross-chain asset transfer work?
Blockchain bridges like Harmony have taken on an important role for decentralized finance, since they give users the ability to transfer their assets from one blockchain to another. In the specific case of Horizon, users can send tokens from the Ethereum network to Binance Smart Chain.
Bridges are now a very tempting target for hackers because of the vulnerabilities in their underlying code and the large amount of liquidity they need to store.
The founder of the Harmony protocol wrote in a report on the affair that:
“The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge — Funds were stolen from the Ethereum side of the bridge. Confidentiality is key to maintain integrity as part of this ongoing investigation — The omission of specific details is to protect sensitive data in the interest of our community”.
In a subsequent tweet, the company offered a $1 million reward to anyone who offered news that would be helpful in recovering the amounts stolen by the hackers.
We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.
Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will advocate for no criminal charges when funds are returned.
— Harmony 💙 (@harmonyprotocol) June 26, 2022
Harmony, which was launched through Binance Launchpad via an Initial Exchange Offer (IEO), grossed 23 million in May 2019, while three years after launch it has a total market capitalization of about $1.5 billion. Harmony’s native token is called ONE and is used for transaction fees, staking, and governance, allowing holders to participate in decisions about the future of the network.
