Level 1 blockchain network Harmony Protocol (ONE) claimed on June 24 that a hacker took advantage of its horizon bridge and about $100 million worth of tokens on the bridge were stolen.
1/ The Harmony team discovered a theft that took place this morning on the Horizon Bridge, amounting to approx. 100 million dollars. We have begun working with national authorities and forensic experts to identify the culprit and recover the stolen funds.
More 🧵
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The attack is one of the largest in recent weeks. Harmony said it has begun “cooperating with national authorities and forensic experts to identify the culprit and recover the stolen funds.”
The team added that the exploit did not affect the untrusted bitcoin (BTC) Bridge, and assets stored in decentralized vaults remain safe.
The Horizon Bridge connects the Harmony protocol to other networks such as Ethereum and Binance Smart Chain, allowing the transfer of cryptocurrencies, stablecoins, and NFTs between the Harmony blockchain and the network.
Harmony warned about vulnerability
In April, blockchain developer and researcher Ape Dev warned about Harmony’s weak security. They predicted that an attacker could use it for an attack that could result in losses of up to $330 million.
Bridge security is currently based on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of whom must agree to make an arbitrary transaction (i.e. drain $330 million). pic.twitter.com/sgYmyPrYgf
— Monkey Dev (@_apedev) April 1, 2022
According to available information, the attacker moved funds in 12 transactions using three attack addresses. As a result, they could transfer funds to tokens such as ETH, WBTC, USDT, AAVE, WETH, FXS, SUSHI, FRAX, DAI, BUSD, and AAG.
The attacker was able to take control of the MultiSigWallet and validate the transactions to transfer the stolen funds directly.
The Horizon Harmony Protocol bridge was hacked this morning and $100 million was stolen.
Basically, the bridge was a 2 out of 5 multisig. If any 2 addresses told him to transfer funds to someone, he did.
The hacker compromised 2 addresses and forced them to leak money. 🧵👇 pic.twitter.com/hv1JWDy9WQ
— Mudit Gupta (@Mudit__Gupta) June 24, 2022
Although the identity of the hacker remains unknown, the fact that the Harmony team could have prevented the attack will raise questions about its security in the crypto community.
Most of the stolen tokens remained with the attacker. wallet at the time of publication. However, the attacker started converting the stolen funds into ETH via Uniswap.
@harmonyprotocol the bridge exploiter 0x0d04…ed00 stole 11 different erc-20 tokens and 13,100 ether from the bridge.
They then transferred the other erc-20 tokens to two other wallets for exchange via uniswap and other dexs back to eth and finally back to 0x0d04…ed00. pic.twitter.com/HY5JepVrPu
— MistTrack (@MistTrack_io) June 24, 2022
Credit : cryptoslate.com