Blockchain company Harmony said $100 million in cryptocurrency was stolen from the platform on Thursday evening. The company said the FBI is now investigating the theft alongside several cybersecurity firms.
A cross-chain bridge – also known as a blockchain bridge – allows people to transfer tokens, assets, smart contract instructions and data between blockchains. They have become a ripe target for hackers in recent months and exploits in bridges have led to millions of dollars in losses.
Harmony – which helps people send cryptocurrency, stablecoins and NFTs between different blockchains like Ethereum and Binance Smart Chain – has notified other exchanges and stopped the Horizon bridge to prevent further transactions.
In a series of Tweets, the company said it is working with government agencies and specialists to find the people behind the attack and get the stolen funds back. The hackers stole about 85,837.252 Ethereum in the attack.
“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands on deck as investigations continue,” the company said.
Blockchain security company PeckShield told The Record that right now, it seems like the attackers were able to compromise private keys that gave them the ability to validate fraudulent transactions.
The Harmony bridge is “managed by a 2-out-of-4 multisig,” PeckShield said, allowing the attackers to control funds held on the protocol through access to the private keys.
Another blockchain security company, CertiK, confirmed that once the attackers were able to access the owners of Horizon’s multiSig wallets, they began draining vast amounts of altcoins from Harmony.
Experts are still unsure of how hackers managed to gain control of the MultiSig Wallets, but CertiK criticized Harmony for having a system that only required two signatures to validate transactions.
“Horizon’s system of only requiring two out of four signatures has raised concerns in the past. Having only two signatures required to access such privileged controls is a glaring security vulnerability, and naturally makes an enticing target for a hacker,” CertiK said.
“In this way the attack bears some similarity to the Ronin Bridge hack in March of this year, where a hacker drained $600 Million after they gained control of the nodes required to validate withdrawals.”
Harmony was previously exploited in January and experts have long warned that the company’s system was vulnerable to these kinds of attacks. One expert specifically mentioned the idea that if two of the four multisig signers were compromised, there would be “another 9 figure hack.”
Blockchain bridge attacks have become increasingly common over the last year. In addition to the Ronin Bridge hack in March, a hacker abused a vulnerability in the Wormhole cryptocurrency platform in February to steal an estimated $322 million worth of Ether currency.
A week before the Wormhole hack, a similar attack took place against another blockchain bridge when a hacker stole $80 million from Qubit Finance.
“The fact that we are again seeing such huge losses from attacks on cross-chain bridges is a reminder both of the huge demand for this kind of infrastructure in web3, but also of their severe and persistent security vulnerabilities,” CertiK CEO Ronghui Gu told The Record.
“Solving the problems with cross-chain bridges is vital to ensuring a secure web3 ecosystem moving forward.”
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Researchers Quietly Cracked Zeppelin Ransomware Keys - 23 November 2022
- Disneyland Malware Team: It’s a Puny World After All - 23 November 2022
- Top Zeus Botnet Suspect “Tank” Arrested in Geneva - 23 November 2022