Harmony’s Horizon Bridge — the layer-1 blockchain’s main bridge between Ethereum, Binance Chain and Bitcoin — hacked for $100M.
Harmony is an open Layer 1 blockchain launched in 2019. The network uses sharding and Effective Proof-of-Stake (EPoS). As the company itself states, EPoS is “the first staking mechanism in a sharded blockchain that achieves both security and decentralization” and EPoS “allows staking from hundreds of validators and the unique effective stake mechanism reduces the tendency of stake centralization.”
Also, Harmony has a native token — ONE. And also, the network uses one of the main bridges between Ethereum, Binance Chain and Bitcoin — Horizon Bridge. The problems with this bridge will be discussed in this article.
What happened? Another hacker attack. The attackers were stole about $100 million. Harmony tweeted about this on the morning of June 23.
Hackers, apparently, do not like monotony, so the range of tokens in which funds were stolen is impressive. With the help of an exploit in Horizon Bridge, the attackers managed to steal funds in Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC) and USD Coin (USDC).
In the evening of the same day, Harmony tweeted that the bridge was stopped in order to avoid further transactions.
Also, Harmony noted that the hacker attack “does not impact the trustless BTC bridge.”
Later it turned out that the North Korean hacker group Lazarus could be behind the hack.
“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services”. — Elliptic Connect, an analytical company
How did hackers manage to steal funds? There is no detailed information about this attack yet. But, it is known that hackers managed to detect a vulnerability in Horizon Bridge, which allowed funds to be stolen. Twitter users suggest that the attack could be related to the compromise of two out of five multisig addresses — possibly indicating a private key compromise.
This is not the first attack on bridges since the beginning of the year. According to Elliptic Connect, an analytical company, “In January, hackers exploited a vulnerability in Multichain, allowing them to drain $3 million from users over the course of several days. Just a few days later, a vulnerability in Qubit Finance’s bridge was exploited, with the hackers stealing over $80 million. In February, a further two bridges were attacked including Wormhole, in which hackers stole $325m. Finally, in March, $540m was stolen from Ronin bridge, in an attack which has since been attributed to North Korea’s Lazarus Group.”
Attacks on bridges have become more frequent recently, which causes active discussions in the community about the safety of bridges. Even such mastodons of the industry as Vitalik Buterin speaks out about this.
“The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem (there really are a few separate communities with different values and it’s better for them to live separately than all fight over influence on the same thing), I am pessimistic about cross-chain applications”. — Vitalik Buterin, Ethereum co-founder.
Against the background of the attack, the price of the native Harmony token ONE fell and continues to fall to this day. According to Coinmarketcap, the price of ONE fell by 35% from June 23 to July 1 (from $0.02736 to $0.01759).
The industry is wobbling, hackers are finding more and more vulnerabilities. All this suggests that the leaders of the crypto community should pay more attention to the security of some projects. We wish Harmony to regain harmony and continue to observe.