Harmony Hacked, Around $100M Stolen, $1M Bounty for the Return of Funds
- Harmony’s Horizon bridge was exploited on June 23rd, with a loss of more than $100M. According to Harmony Team, the exploit has not affected Harmony’s One Token.
Below is a quick overview of this project.
Harmony is an open and fast blockchain. Its mainnet runs Ethereum DApps with 2-second transaction finality and 100 times lower fees. Its bridges offer cross-chain transfers with Ethereum, Binance, and three other chains.
What was the Team’s response to the Attack?
Around 4:34 AM IST on June 24th, the Harmony team has tweeted and informed the community about this Attack. According to the team, As soon as the team was notified of this Attack, they contacted multiple national authorities and forensic specialists to identify the culprit and retrieve the stolen funds..
The team has also told its users that this Attack does not impact the trustless BTC bridge. Its funds and assets are stored in decentralized vaults that are safe at this time. The team has also notified the crypto exchanges and told them to stop the Horizon bridge from their end.
Here is the Hacker’s address: https://etherscan.io/address/0x0d043128146654c7683fbf30ac98d7b2285ded00.
All the stolen funds are moving towards Tornado Cash by the Hacker. Below is the screenshot of some recent transactions into Tornado Cash.
Here, the attacker has transferred around ~18K $ETH, i.e., around ~22M.
Here, the attacker has transferred around ~6K $ETH, i.e., around ~7M.
Here, the attacker has again transferred around ~6K $ETH, i.e., around ~7M.
How did the Harmony Attack occur?
On June 23rd, 2022, at 11:06:46 AM +UTC, the bridge between Harmony chain and Ethereum experienced multiple exploits. There were a series of twelve transactions performed by the attacker where three addresses were involved. The attacker did this by controlling the owner of the MultiSigWallet to call the
confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony.
According to the Founder Stephen Tse, no evidence of a smart contract code breach or any vulnerability was found on the Horizon platform. But, the team has also found that private keys were compromised. This was why Horizon bridge was hacked.
Note: Private keys were doubly encrypted using a passphrase and a key management service. No single machine had access to multiple plaintext keys, and a system was designed to avoid persistent storage of plaintext secrets at rest.
The attacker could access and decrypt several of these keys, some of which was used to sign unauthorized transactions. All stolen assets were swapped to ETH. The team has migrated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident.
What is the Team doing now?
Harmony Protocol’s investigation team comprises US, Greece, India, and Cambodia engineers. Team members handed off their findings to Harmony’s US colleagues at 8:30 AM PST on June 24th, who are doing this investigation alongside our cyber security partners.
Harmony team is also working with two highly reputable blockchain tracing and analysis partners and collaborating with the FBI as part of an investigation into this criminal act. Also, the team is exploring multiple ways to secure the Harmony ecosystem.
Harmony has committed a $1M bounty in exchange for the return of the funds. In addition, the team will advocate for no criminal charges when the funds are returned.
As crypto hacks are increasing nowadays, our readers should stay alert. Here are some latest hacked Projects our readers should know about;