- Hackers have exploited Harmony’s token bridge, Horizon’, for altcoins worth $100 million, after capitalizing on a multisig weaknesses.
- One venture capitalist founder forecasted such an event on the network in early April.
Layer-1 blockchain Harmony has announced that attackers have exploited its Horizon Bridge for $100 million. The event brings to light earlier concerns about the security vulnerabilities of blockchain bridges.
Of note, Horizon connects three other blockchains to the Harmony network, namely Bitcoin (BTC), Ethereum (ETH), and the Binance Chain (BNB). Transactions on the bridge only require approval from two out of the four multi-sig in existence.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Harmony Bridge Horizon exploited
The latest attack occurred on June 24, between 7.08 am and 7.26 am ET. Attackers made 11 transactions to withdraw several altcoins from the bridge to a crypto wallet. In the list are Wrapped BTC (WBTC), USD Coin (USDC), Tether (USDT), Dai (DAI), Aave (AAVE), and Sushi (SUSHI). Others were Binance USD (BUSD), Frax (FRAX), Frax Share (FXS), and AAG (AAG). Harmony notes that no funds or tokens were drained from the Bitcoin bridge.
After withdrawing the tokens, the hackers then swapped the stolen altcoins for ETH tokens on the decentralized exchange Uniswap. Thereafter, they re-routed the ETH tokens to the wallet.
Following the theft, Harmony, the operator of the bridge, decided to shut it down to prevent further exploits. The network also notified exchanges of the wallet in question. It has now involved national authorities and forensic experts to help determine the culprit. Harmony promises to provide more information regarding the attack as investigations continue.
The prediction of doom
Interestingly, about three months ago, Ape Dev, founder of the crypto-focused VC Chainstride, predicted such an occurrence on Harmony. With only two signees required to pass a transaction, Ape Dev said the bridge was ‘very’ open to an attack.
Ape Dev posted his observation on April 2, a time when a string of bridge attacks was making headlines. The Solana Wormhole and Meter’s token bridges were each exploited in February. Axie Infinity’s Ronin Bridge attack followed soon after, just as March drew to a close.
Combined, the three saw losses to the tune of $1 billion, where Ronin experienced the highest losses (over $600M). The bridge was exploited in a similar manner to Harmony’s Horizon. It only required five out of nine validators to verify a transaction.
In a January Reddit post, Ethereum co-founder Vitalik Buterin highlighted the security challenges associated with bridges. Their attacks, he said, could cause liquidity shortages in the affected chains. Additionally, an increase in bridges presents the risk of a 51 percent attack on one chain – something that could quickly spread to the rest of the bridge’s chains
So far, stolen altcoins from the Harmony attack have not made any significant moves in the market. However, the network’s native token, ONE, is down 11.5 percent in the past day to trade at $0.024.