Harmony Exploited For $100M After Attackers Target Horizon Cross-chain Bridge

• The attacker carried out 16 malicious transactions ranging in value from 14,190 to 30 ETH.
• The attacker has not yet attempted to use a privacy protocol like Tornado Cash.

According to the Harmony team, roughly $100 million in different tokens have been stolen from the Horizon bridge. The Horizon cross-chain bridge of Harmony, an EVM-compatible Proof-of-Stake blockchain, was breached in a massive security incident.

According to a Friday morning tweet from the network’s developers, one of Harmony’s bridges, Horizon, has been hacked for about $100 million in different tokens. To help track down the perpetrator and perhaps recover the funds taken, it has already begun cooperating with national authorities and forensic specialists.

It seems that the exploit started at 12:02 UTC on Thursday and continued for around 15 hours, according to on-chain data. Before the Harmony team discovered the assault and shut down the Horizon bridge to prevent additional fraudulent transactions, the attacker carried out 16 malicious transactions ranging in value from 14,190 to 30 ETH. As soon as the attacker stole about $100 million worth of various tokens, they transmitted them to multiple wallets and traded them for Ethereum on the decentralized market Uniswap before returning them to the original wallet.

Surprisingly No Use of Tornado Cash

The attacker has not yet attempted to use a privacy protocol like Tornado Cash to anonymize the stolen assets, which is unusual for these sorts of attacks. The Office of Foreign Assets Control (OFAC) may add the attacker’s wallet to its sanctioned addresses blacklist to prevent Tornado Cash from being used to launder stolen assets again.

Security experts have surmised that the attacker may have access to at least two of the five multi-signature wallet private keys in charge of the Horizon bridge smart contracts. Still, Harmony has not revealed how the vulnerability was carried out.