The Horizon Bridge to Harmony One Layer-1 blockchain has been used for $100 million in altcoins that are being swapped for Ether (ETH).
The hack may confirm previously raised community concerns about the robustness of two of the four multisig allegedly securing the bridge.
From around 7:08 am to 7:26 am, 11 transactions were done from the bridge for different tokens. They have since started sending tokens to a separate wallet to be swapped for ETH on the Uniswap decentralized exchange (DEX), then sending the ETH back to the original wallet.
1/ The Harmony team has identified an approx the theft at Horizon Bridge this morning. $100 mm. We have begun working with national authorities and forensic experts to identify the culprit and recover the stolen money.
More— Harmony (@harmonyprotocol) 23 June 2022
So far, Frax (FRAX), Wrapped Ether (WETH). Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (DAI), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) have been stolen from the bridge through this exploit.
Horizon Bridge facilitates token transfer between the Harmony and Ethereum networks, Binance Chain and Bitcoin. Harmony, operator of the bridge, announced The bridge has been stopped late on 23rd June. It said that BTC Bridge and its assets were not affected by the attack.
The Harmony One team also said it is working with “national authorities and forensic experts” to determine who is responsible. A postmortem is sure to follow.
Developers and Harmony One co-founder Nick White did not respond to requests for comment. Harmony One is a layer-1 blockchain that uses proof-of-stake consensus. Its base token is one.
Concerns were previously expressed about the soundness of Horizon’s multisig wallet, which required only two of the four signatories to withdraw funds. Founder of Chainstride Capital crypto-focused venture fund App Dev noted on Twitter on April 2 that the low number of signatories required would leave the bridge open to “another 9 issue hack”.
The security of the bridge is based on a multisig wallet currently deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of whom require consent to transact arbitrarily (i.e. withdraw $330m). pic.twitter.com/sgYmyPrYgf— you dev (@_apedev) 1 April 2022
Vanar Dev’s prediction has become a reality as the bridge is now down $100 million in assets.
He is far from the only developer in cryptocurrency who has the aptitude for the security of Token Bridge.
Vitalik Buterin discussed the Token Bridge issue in a Reddit post this January. He added that when bridges are exploited, it threatens the liquidity on each chain affected. He added that as the number of token bridges grows, the risk of a 51% attack on one chain could present a more contagious risk to others.
Since his prediction, Meter’s Token Bridge, Axi Infinity’s Ronin Bridge, and Wormhole Bridge combined have been exploited for nearly $1 billion.
Multisig attacks are an ongoing security problem. Ronin Bridge was secured by nine validators, of whom only five were required to verify transactions. The attackers took control of the five required validators and siphoned off more than $600 million in assets.
related: Chainalysis Launches Reporting Service for Businesses Targeted in Crypto-Related Cyber Attacks
It seems that the market is yet to respond to the attack as there has been no significant change in the prices of all coins and tokens. However, ONE is down 7.4% in the last 24 hours, with most of the fall in the last 5 hours. According to CoinGecko it is trading at $0.024.