A hacker has exploited a vulnerability to steal $100 million from Harmony’s Horizon Bridge, which allows users to transfer their crypto assets from one blockchain to another.
Harmony, the U.S. crypto startup behind Horizon, said in a blog post on Friday that it was notified of a “malicious attack” on its proprietary Horizon blockchain bridge on Thursday. Blockchain bridges, also known as cross-chain bridges, facilitate communication between different blockchains and allow users to send assets from one chain to the other. Using Harmony’s Horizon bridge, for example, users can move assets — including tokens, stablecoins, and NFTs — between Ethereum, Binance Smart Chain and Harmony blockchains.
Harmony said the culprit of the attack — which the company singled out in a tweet — stole close to $100 million in cryptocurrency from its blockchain bridge.
According to blockchain analysis company Elliptic, a variety of crypto assets were taken, including Ethereum, Binance Coin, Tether, USD Coin and Dai. Elliptic added that the stolen tokens have now been swapped for Ethereum using decentralized exchanges — a “commonly seen technique with these hacks,” it said.
Harmony said in its blog post that immediately following the attack, multiple cybersecurity partners, exchange partners and the FBI were notified and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. “Further, the team has attempted communication with the hacker with an embedded message in a transaction to the culprit’s address,” the blog post read.
Harmony added that it had stopped the Horizon bridge to prevent further transactions. Harmony’s bridge for bitcoin was unaffected.
“This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us,” the blog post said. “Ongoing investigations present a challenge of what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.”
Harmony has not revealed exactly how the funds were stolen and did not comment when contacted by TechCrunch.
However, one investor who goes by the handle Ape Dev had concerns about the security of its Horizon bridge as far back as April. The researcher warned on Twitter that the security of the Horizon bridge hinged on a multisignature — or “multisig” — wallet that required just two signatures to initiate transactions. Multisig wallets require the consent of multiple parties for ensuring additional security on transactions.
“So all in all, if two of the four multisig signers are compromised, we’re going to see another nine-figure hack,” Ape Dev, founder of crypto venture fund Chainstride Capital, wrote on April 1. “Considering all that’s been going on lately, it’d be interesting to hear some details from @harmonyprotocol on how these [externally owned accounts] are secured.”
The Harmony bridge hack follows a series of notable attacks on other blockchain bridges. The Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, lost more than $600 million in March, an attack which U.S. officials have since linked to North Korean state-backed hacking group Lazarus. Similarly, decentralized finance platform Wormhole lost almost $325 million to hackers in February after they exploited a security flaw in its smart contract code.