On June 24, the Horizon bridge connecting Harmony to the Ethereum and Binance Chain ecosystem was hacked, causing a loss of around $100 million in ETH. The exploit was announced on Twitter by the Harmony team, who said they were looking for the culprit.
the latest in a series of vulnerabilities
1/ The Harmony team has identified an approx the theft at Horizon Bridge this morning. $100 mm. We have begun working with national authorities and forensic experts to identify the culprit and recover the stolen money.
— harmony (@harmonyprotocol) 23 June 2022
The bridge has since been closed to prevent further damage. Sadbhav Devs also clarified that the BTC bridge is unaffected.
The attack appears to have occurred over a period of 17 hours, beginning with a transaction of 4,919 ETH, followed by several smaller transactions ranging from 911 to 0.0003 ETH. The last time was after the bridge was closed.
The hack is the latest in a series of exploits affecting the crypto space, such as the Axi Infinity Drain, the Solana wormhole, or, more recently, the (mis)optimism failure. Another recent vulnerability, the demonic exploit, which affected many crypto wallets, was patched before any damage was done.
The exchanges have reportedly been notified, as well as “national authorities and forensic experts.” Unfortunately for Harmony, the former may not be very helpful if the hacker’s identity is discovered, depending on the jurisdiction in which the hacker may be located.
“We have also notified exchanges and horizon bridge to prevent further transactions. The investigation is ongoing and the team is fully prepared. We will keep everyone up-to-date as we investigate this further and Will get more information.”
Early warning issued by independent researchers
Curiously, there was a warning issued Back on April 2nd by Ape Dev, an independent researcher and blockchain dev. In a series of tweets, the app dev drew attention to the fact that Harmony Bridge’s security was built around a multi-sig wallet with only four owners. He predicted that this could be used to carry out a very simple attack to sign transfers of up to $330 million to 2 owners.
His accomplished talent has since been recognized by Brendan Eich, CEO and co-founder of Brave.
— you dev (@_apedev) 24 June 2022
Whether the Harmony attacker got the idea from the app dev’s hint or came to the same conclusion independently is unclear. However, in any case, the warning came about three months before the unfortunate incident, which should have given the Harmony devs enough time to secure their systems.
With cyberattacks becoming more and more prevalent in the crypto space, the security standards of various blockchain-based platforms can be scrutinized by third parties with increasing regularity – and rightly so.
PrimeXBT Special Offer: Use this link to register and enter code POTATO50 to get up to $7,000 on your deposit.