The Horizon Bridge to the Harmony layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for ETH
Bridge projects continue to fall victim to hacks, the latest being Harmony’s Horizon with “9-digit” damage.
Harmony’s Horizon Bridge hacked for $100M
On the morning of June 24, Harmony’s Horizon cross-chain bridge was confirmed to have been hacked by hackers with initial damage estimated at up to $100 million according to the project’s assertion. According to the hacker wallet provided by Harmony, the attacker extracted more than 13,100 ETH (worth $14.1 million), 592 WBTC ($12.4 million), 9.9 million USDT, 41.2 million USDC, 6 million DAI, 5.5 million BUSD, 5.6 million FRAX, 84.6 million AAG ($1.3 million), 110,000 FXS ($607k), 415,000 SUSHI ($518k), and many ERC-20 tokens other.
2/ 0x address of the culprit below:https://t.co/VXO7s6FpIy
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The hacker then converted the ERC-20 tokens into ETH and collected them in a wallet. This wallet currently holds over 85,867 ETH, worth over $98 million.
In addition, the attack took place between 11:15 – 11:30 on June 23 but was only announced by Harmony at 11:15 on June 23, which is 12 hours later, allowing hackers to disperse most of the ERC-20 tokens, leaving only a large amount of ETH in the wallet.
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
Horizon asserts that the attacker has only penetrated the bridge to Ethereum, while the bridge to Bitcoin is still safe. However, the project suspended Horizon to investigate the vulnerability, as well as notify exchanges to prevent hackers from laundering money.
The price of Harmony’s ONE token is dropping slightly after the hack was announced and has been sliding throughout 2022.
Blockchain bridges, also known as cross-chains, applications that help transfer value between two independent blockchains, have been a “delicious bait” for hackers in recent times. Currently, the top 3 most damaging attacks in the DeFi industry are all in the cross-chain array and all occurred within the past 1 year, including Poly Network ($611 million – August 2021), Wormhole ($325 million – February 2022), and most recently, Ronin of Axie Infinity ($622 million – March 2022).
The national authorities and forensic specialists should be investigating *you* to figure out what kind of broken security practices allowed this “theft” to happen.
— Chris Blec (@ChrisBlec) June 24, 2022
Because of many defects in the working mechanism, Ethereum founder Vitalik Buterin once said that cross-chain solutions should not be trusted.
Read more:
- Crypto Lending Platform Celsius Would Be Pausing Withdrawals, Swaps, And Transfers Due To “Extreme Market Conditions”
- Inverse Finance, Large Digital Bank, Is Under Attack; Over $1.25 Million In Liquidity Might Be Stolen