Horizon Offers $1M Bounty to Hackers Who Stole $100MAttackers Appear to Have Compromised a Multi-Signature Contract
Blockchain company Harmony has offered a $1 million bounty to hackers who stole $100 million worth of Ethereum tokens. It also says it won’t push for criminal charges if the funds are returned.
The Horizon bridge is a cross-chain protocol connecting the Ethereum, Binance and Harmony blockchains. It allows the transfers of cryptocurrencies, stablecoins and non-fungible tokens between the Harmony blockchain and the other networks.
The company has attempted to contact the hackers via a transaction to their Ethereum wallet address, Harmony tells Information Security Media Group.
At the time of writing this story, the Blockchain Intelligence Group tells ISMG that the stolen funds remain in the hackers' wallet. But around 12 pm Eastern Time on Monday, the hackers moved 7,000 ETH to Tornado Cash, the company says. The exploiters' wallet currently holds a little over 67,830 ETH, which is likely to be laundered through Tornado Cash as well, it adds.
Tornado Cash is a virtual currency mixers or tumblers help obscure the original source of funds. For instance, if you put in one crypto coin that needs obfuscation, the tumbler breaks it up into multiple pieces, mixes the pieces up with other clean coins and then redistributes random increments of the tumbled coins to designated cryptocurrency wallets at random times.
The company has shut down its services to prevent further losses.
The exploit did not affect the trustless Bitcoin - BTC - bridge, which means that the funds and assets stored in decentralized vaults are safe, the company says in its tweet thread.
Private Keys Compromised
The bridge was compromised by "11 transactions that extracted tokens stored in the bridge," according to Harmony's blog post. "The estimated value at the time of the attack was approximately $100 million USD," it says.
Harmony tells ISMG that the FBI is conducting a probe. When contacted, the FBI said it doesn’t confirm investigations.
#Harmony #Bridge which was recently exploited. Had crypto worth about 105M exploited on ETH and BSC.— Blockchain Intelligence Group (@blocksearch) June 24, 2022
ETH along with 11 tokens were stolen, which were later swapped for ETH.
Funds stolen remain currently unspent in both exploiter's ETH & BSC addresses pic.twitter.com/hT4S5twnAe
The theft of funds from Horizon's Ethereum bridge was the result of the compromise of private keys, says Harmony founder Stephen Tse. The company has put together a 24/7 incident response team, comprising engineers from the U.S., Greece, India and Cambodia.
"The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys," he says.
The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions, he says, adding that the hacker has not made any attempt to anonymize the ownership of these assets.
The bridge was essentially a multi-signature contract, which required two out of five addresses to validate a transfer, says William Callahan, director of government and strategic affairs at Blockchain Intelligence Group.
In a multi-signature contract, as the name suggests, multiple signatories must approve a transaction before it’s executed.
"If any two out five addresses told the contract to transfer funds to someone, it did. In this case, the hacker likely compromised two addresses and made them transfer the crypto to his own wallet," Callahan tells ISMG.
"At this time, the team has mitigated the Ethereum side of the Horizon bridge to a four of five multisig since the incident and continues to enhance our operations and infrastructure security," Tse says.
He also says there is currently "no evidence" of a smart contract code breach or the existence of a vulnerability on the Horizon platform.
"Our consensus layer of the Harmony blockchain remains secure," he adds. The consensus mechanism of a blockchain essentially prevents bad actors from cheating. This layer ensures that pre-agreed ownership conditions are maintained.
Singapore-based AAG Ventures, which says it was affected by the Harmony exploit, has managed to freeze $78 million of the $84 million stolen from it. Lossless, the company AAG Ventures says it retained to prevent loss of funds, has published details of its investigation here.
Other Bridge Attacks
There have been dozens of hacks involving blockchain bridges in the past few months. This graph from Chainalysis, a blockchain analysis and investigation company, shows the value of these incidents.
4/ Value stolen from #DeFi protocols now account for the vast majority of stolen funds. And as more value flows through cross-chain bridges, they have become more attractive targets. We’ve seen this before with attacks on the Ronin Bridge and Wormhole Network. pic.twitter.com/D9YKPmJsfE— Chainalysis (@chainalysis) June 24, 2022
The biggest one so far includes Ronin Network, a sidechain tied to blockchain game Axie Infinity. In April, North Korean hackers breached the security of Ronin Network by gaining access to private keys used to forge fake withdrawals. The hackers stole 173,600 Ethereum and $25.5 million - totaling nearly $615 million. The hack was discovered five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers (see: Crypto Hackers Exploit Ronin Network for $615 Million).
The company plans to reopen the bridge on Tuesday and reimburse users whose funds were stolen. "We plan on re-opening the Ronin Bridge on June 28, with all user funds returned," it says in a blog post.
In February, the Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the Ethereum and Solana blockchains, was exploited for 120,000 ETH tokens ($321 million). It restored all funds and brought the network back up the same day (see: Wormhole Blockchain Bridge Exploited for Over $300 Million).
The same month, Meter, a blockchain infrastructure company that provides multichain bridging and allows users to trade multiple cryptocurrencies across Ethereum and other public chains, was also exploited for $4.4 million.
In August last year, a hacker - infamously dubbed "Mr. White Hat" - drained the Poly Network protocol of more than $600 million in cryptocurrency before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
(This story was updated on June 27 to reflect the movement of funds from the hackers' crypto wallet.)