$ 100 Million Hacking in Harmony

The root cause of the massive hack that stole $100 million from Harmony last Wednesday may have been discovered.

Harmony suffers a $100 million hack

Last Wednesday, Harmony, a layer 1 blockchain company launched in 2019 by Stephen Tse, suffered a $100 million theft due to a hack.

Harmony is aiming to solve the persistent “blockchain trilemma” by balancing scalability with security and decentralization.

In a tweet, the company disclosed this attack and that it is working with the FBI, relevant authorities, and cyber security companies to try to recover the funds stolen from the attack.

The following day, Polygon’s chief information security officer, Mudit Gupta, said the hacker would have exploited the ability to compromise the 2-in-5 multi-signature scheme on which the Harmony blockchain bridge is based.

Gupta explained:

“The hacker compromised 2 addresses and made them drain the money. The two addresses were likely hot wallets used to listen for and process legit bridging transactions”.

harmony
Hacker steals $ 100 million from the Horizon bridge

How do bridges that enable cross-chain asset transfer work?

Blockchain bridges like Harmony have taken on an important role for decentralized finance, since they give users the ability to transfer their assets from one blockchain to another. In the specific case of Horizon, users can send tokens from the Ethereum network to Binance Smart Chain. 

Bridges are now a very tempting target for hackers because of the vulnerabilities in their underlying code and the large amount of liquidity they need to store.

The founder of the Harmony protocol wrote in a report on the affair that:

“The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge — Funds were stolen from the Ethereum side of the bridge. Confidentiality is key to maintain integrity as part of this ongoing investigation — The omission of specific details is to protect sensitive data in the interest of our community”.

In a subsequent tweet, the company offered a $1 million reward to anyone who offered news that would be helpful in recovering the amounts stolen by the hackers.

Harmony, which was launched through Binance Launchpad via an Initial Exchange Offer (IEO), grossed 23 million in May 2019, while three years after launch it has a total market capitalization of about $1.5 billion. Harmony’s native token is called ONE and is used for transaction fees, staking, and governance, allowing holders to participate in decisions about the future of the network.


Source: https://en.cryptonomist.ch/2022/06/27/100-million-hack-harmony/