The Horizon Bridge to the Harmony layer-1 blockchain has been used for $100 million worth of altcoins being traded for Ether (ETH).
The hack may justify previously expressed community concerns about the robustness of the two of the four multisig reportedly securing the bridge.
From approximately 7:08 a.m. EST to 7:26 a.m. EST, 11 trades were made from the bridge for various tokens. Since then, they have started sending tokens to another wallet to exchange for ETH on the Uniswap decentralized exchange (DEX), and then return the ETH to the original wallet.
1/ The Harmony team identified a theft this morning on the Horizon Bridge for an amount of approximately $100MM. We have started working with national authorities and forensic specialists to identify the perpetrator and recover the stolen money.
— Harmony (@harmonyprotocol) June 23, 2022
So far, Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC) and USD Coin (USDC) are by stolen this exploit from the bridge.
The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Harmony, the operator of the bridge, announced late Thursday that the bridge is shut down. It said the BTC bridge and its assets were not affected by the attack.
The Harmony team also said it was working with “national authorities and forensic specialists” to determine who was responsible. An autopsy will certainly follow.
Harmony’s developers and co-founder Nick White have not responded to requests for comment. Harmony is a layer-1 blockchain that uses proof-of-stake (PoS) consensus. The original token is ONE.
Concerns have previously been raised about the robustness of Horizon’s multisig wallet on Ethereum, for which only two of the four signatories had to tap the funds. A founder of Chainstride Capital crypto-focused venture fund Ape Dev noted on Twitter on April 2 that the low number of required signers would leave the bridge open for “another 9-digit hack”.
The bridge’s security is currently based on a multisig wallet implemented at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which have to agree to execute any transaction (i.e. drain the $330 million). pic.twitter.com/sgYmyPrYgf
— Monkey Dev (@_apedev) Apr 1, 2022
Ape Dev’s prediction seems to have come true as the bridge has now lost $100 million in assets.
He is far from the only developer in crypto who struggles with the security of token bridges.
Vitalik Buterin discussed the issues with token bridges in a Reddit post in January. He argued that exploiting bridges threatens the liquidity of any chain involved. He added that as the number of token bridges increases, the threat of a 51% attack on one chain could pose a greater risk of contagion to others.
Since his prediction, Meter’s Symbolic Bridge, Axie Inifinity’s Ronin Bridge, and Wormhole Bridge have each been exploited for nearly a combined $1 billion.
National authorities and forensic specialists should be investigating *you* to find out what kind of broken security practices made this “theft” possible.
— Chris Blec (@ChrisBlec) June 24, 2022
Multiple signatures are an ongoing security vulnerability in attacks. The Ronin Bridge was secured by nine validators, only five of which were needed to verify a transaction. The attacker took control of the required five validators and took away more than $600 million in assets.
Related: Chainalysis Launches Reporting Service for Companies Targeted by Crypto-Related Cyberattacks
The market does not appear to have reacted to the attack yet as the prices of all the coins and tokens in question have not made a significant move. However, ONE is down 7.4% in the past 24 hours, with most of the drop occurring in the past 5 hours. It is trading at $0.024 according to CoinGecko.