The Harmony blockchain’s Horizon cross-chain bridge has been hacked, resulting in the theft of approximately US$100 million worth of assets.
The Harmony team says it has identified the hacker’s wallet and is now working closely with security partners, forensic specialists and law enforcement to recover the lost assets.
During the attack – which occurred on the morning of June 23, US time – the hacker was able to steal a variety of assets including BUSD, USDC, ETH and wBTC, which have all since been swapped for ETH and remain in the hacker’s accounts on the Ethereum blockchain.
Hack Exploited Multi-Sig Wallet
According to Harmony founder and CEO Stephen Tse, the hack on Horizon bridge wasn’t due to vulnerabilities in the smart contract code. In a statement released in the days following the attack, Tse said the attacker somehow compromised several of the private keys used to sign transactions on the multi-signature wallet that controls the assets stored in the bridge:
The incident response team has found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure.
Stephen Tse, founder and CEO, Harmony
Tse added: “Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.”
Before this hack, the multi-sig wallet controlling assets in the Horizon bridge required only two of four private keys to sign a transaction, making it highly vulnerable to attack. Since the attack, Tse has tweeted saying that the multi-sig wallet has been hardened to require four of five private keys to sign any transactions:
7/ We have migrated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident. We will continue taking steps to further harden our operations and infrastructure security.
— stephen tse 💙 s.one 🌉 stse.eth (@stse) June 26, 2022
Harmony Offers Reward, Won’t Pursue Legal Action
In the aftermath of the hack, the Harmony team tweeted an offer of a US$1 million bounty for the return of the stolen funds and said it would advocate for no criminal charges if and when the funds are returned:
This is a relatively common tactic used by crypto projects to incentivise hackers to return lost assets, and while it sometimes works it’s not a widely supported tactic as it is seen by some as rewarding criminal behaviour:
In a perfect world…
This person would be put in jail and funds returned.
In a fair world…
This person would be put in jail and funds returned.
In America…
Steal 100m. Give 100m back. Receive 1m for being nice and giving stolen monies back. Do not go to jail. Like wtf.
— Bullbearsaur (@Bullbearsaur) June 26, 2022
Cross-Chain Bridges Vulnerable
Cross-chain bridges like Horizon provide interoperability between various blockchains, allowing users to swap tokens between the chains and easily take advantage of different applications and services on various chains, however they aren’t without risk.
One of the primary risks of cross-chain bridges is that their assets are often held in highly centralised multi-sig wallets controlled by a small number of individuals. This centralisation of enormous quantities of crypto assets makes them very attractive targets for hackers. Already this year, several cross-chain bridges – including Axie Infinity’s Ronin bridge and Solana’s Wormhole bridge – have been hacked for a combined total of close to US$1 billion.
Despite this recent spate of hacks on cross-chain bridges, DeFi remains by far the crypto sector most vulnerable to exploits. A recent report from blockchain analytics firm Chainalysis found that since the start of 2020, 97 percent of crypto hacks have targeted DeFi applications. Just weeks ago, the decentralised exchange Osmosis was forced offline after a US$5 million hack was identified by a Reddit user.
Disclaimer:
The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.
Credit: Source link
