Blockchain company Harmony has offered a $1 million bounty to hackers who stole $100 million worth of Ethereum tokens. It also says it won’t push for criminal charges if the funds are returned.
The Horizon bridge is a cross-chain protocol connecting the Ethereum, Binance and Harmony blockchains. It allows the transfers of cryptocurrencies, stablecoins and non-fungible tokens between the Harmony blockchain and the other networks, DataBreachToday.co.uk Reports
The company has attempted to contact the hackers via a transaction to their Ethereum wallet address, Harmony tells Information Security Media Group. At the time of writing this story, the Blockchain Intelligence Group tells ISMG that the stolen funds remain in the hackers’ wallet.
The company has shut down its services to prevent further losses.
The exploit did not affect the trustless Bitcoin – BTC – bridge, which means that the funds and assets stored in decentralized vaults are safe, the company says in its tweet thread.
Private Keys Compromised
The bridge was compromised by “11 transactions that extracted tokens stored in the bridge,” according to Harmony’s blog post. “The estimated value at the time of the attack was approximately $100 million USD,” it says.
Harmony tells ISMG that the FBI is conducting a probe. When contacted, the FBI said it doesn’t confirm investigations.
The theft of funds from Horizon’s Ethereum bridge was the result of the compromise of private keys, says Harmony founder Stephen Tse. The company has put together a 24/7 incident response team, comprising engineers from the U.S., Greece, India and Cambodia.
“The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys,” he says.
The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions, he says, adding that the hacker has not made any attempt to anonymize the ownership of these assets.
The bridge was essentially a multi-signature contract, which required two out of five addresses to validate a transfer, says William Callahan, director of government and strategic affairs at Blockchain Intelligence Group.
In a multi-signature contract, as the name suggests, multiple signatories must approve a transaction before it’s executed.
“If any two out five addresses told the contract to transfer funds to someone, it did. In this case, the hacker likely compromised two addresses and made them transfer the crypto to his own wallet,” Callahan tells ISMG.
“At this time, the team has mitigated the Ethereum side of the Horizon bridge to a four of five multisig since the incident and continues to enhance our operations and infrastructure security,” Tse says.
He also says there is currently “no evidence” of a smart contract code breach or the existence of a vulnerability on the Horizon platform.
“Our consensus layer of the Harmony blockchain remains secure,” he adds. The consensus mechanism of a blockchain essentially prevents bad actors from cheating. This layer ensures that pre-agreed ownership conditions are maintained.
Singapore-based AAG Ventures, which says it was affected by the Harmony exploit, has managed to freeze $78 million of the $84 million stolen from it. Lossless, the company AAG Ventures says it retained to prevent loss of funds, has published details of its investigation here.
Other Bridge Attacks
There have been dozens of hacks involving blockchain bridges in the past few months. This graph from Chainalysis, a blockchain analysis and investigation company, shows the value of these incidents.
The biggest one so far includes Ronin Network, a sidechain tied to blockchain game Axie Infinity. In April, North Korean hackers breached the security of Ronin Network by gaining access to private keys used to forge fake withdrawals. The hackers stole 173,600 Ethereum and $25.5 million – totaling nearly $615 million. The hack was discovered five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers (see: Crypto Hackers Exploit Ronin Network for $615 Million).
The company plans to reopen the bridge on Tuesday and reimburse users whose funds were stolen. “We plan on re-opening the Ronin Bridge on June 28, with all user funds returned,” it says in a blog post.
In February, the Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the Ethereum and Solana blockchains, was exploited for 120,000 ETH tokens ($321 million). It restored all funds and brought the network back up the same day (see: Wormhole Blockchain Bridge Exploited for Over $300 Million).
The same month, Meter, a blockchain infrastructure company that provides multichain bridging and allows users to trade multiple cryptocurrencies across Ethereum and other public chains, was also exploited for $4.4 million.
In August last year, a hacker – infamously dubbed “Mr. White Hat” – drained the Poly Network protocol of more than $600 million in cryptocurrency before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022