Another Bridge Exploited: Harmony's Horizon Bridge Hacked for $100 Million

avatar of @xabi
2 min read


So just when we thought that crypto world had a breather from exploits and hack, another three figure crypto theft has happened. Today, Layer 1 blockchain Harmony's Horizon bridge have been exploited for approximately $100 million.

Harmony is a proof of stake consensus based blockchain and Horizon bridge connects Harmony with Ethereum, Binance Smart Chain and Bitcoin networks. Harmony team has already acknowledged the hack on twitter, saying that they are in pursuit of the culprit. Following the exploit the bridge was shut down. Harmony team claimed that Bitcoin side of the bridge and funds on it were not affected.

The exploit happened in a series of multiple transactions on 7:08 am EST and lasted for 17 hours. The hacker sent various tokens (Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC) and USD Coin (USDC)) from the bridge to different wallet addresses, swapped them to Eth on Uniswap and transferred Eth back to original wallet.

Horizon’s multisig wallet on Ethereum requires only two out of four signees to transfer funds from the wallet. So, apparently hacker managed to find a way to get access to at least two out of four signees, allowing him to drain the funds.

Surprisingly, concerns have been raised about a month ago regarding the security of Horizon’s multisig system. Ape Dev a Chainstride Capital crypto-focused venture fund, warned on April 2 in a twitter thread about low number of signees required for approving transactions leaving the bridge vulnerable to multi-million dollar hack.

While Harmony team did not pay heed to the warning, the hacker/hackers might have been paying attention. Somehow, they managed to get access to at least two signees and here we are with a multi-million hack.

This is not the first time that the multiple chain bridges have been exploited. We already have seen the famous Solana Wormhole and Axie Ronin Bridge exploit. Axie Ronin Bridge happened as 5 out of 9 validator accounts required to verify transactions got compromised and exploiter got away with $650 million worth crypto funds.

In a latest update Harmony team have said that they have identified the hacker wallet which is currently holding 85,837 ether worth around $100 million. While Harmony is deploying forensic investigations and seeking the help of exchanges & law enforcement to track down the culprit, but the chances of recovery remains slim. Tracking and apprehending exploiters in such cases is extremely difficult due to multinational jurisdictions involved.

In my opinion the only hope for the return of stolen funds is that the hacker turns out to be the white hat. The overall incident is not only misfortunate but also a shame. How many times we saw exploits getting repeated the same way using the same method? Plus in case of Harmony, repeated warning were already issued by many security experts.

I guess, the only thing that we learn from history is that we learn nothing from history.

Posted Using LeoFinance Beta