Harmony’s Horizon Blockchain layer-1 bridge was hacked causing about $100 million in damages when swapping altcoins to Ether (ETH).
The hack demonstrated the community’s previous concerns about the certainty of two of the four multisig (multi-signature) credited with protecting the bridge.
Starting from about 7:08 a.m. until 7:26 a.m. ET time, 11 transactions were made from this bridge for various tokens. Since then, they have started sending tokens to another wallet to swap for ETH on the uniswap Decentralized exchange (DEX), then send eth back to the original wallet.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
So far, Frax (FRAX), Wrapped Ether (WETH), Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (WBTC) and USD Coin (USDC) have been stolen from the bridge through this mining.
The Horizon bridge facilitates token transfer between Harmony and the Ethereum, Binance Chain and Bitcoin networks. Harmony, the operator of the bridge, announced late On June 23 that the bridge had been shut down. They said the btc bridge and its assets were not affected by the attack.
Harmony also said it was working with authorities and legal experts to determine who was responsible. The results will be communicated to the community after the investigation is complete.
Harmony developer and co-founder Nick White did not respond to user requests for comment. Harmony One is a layer-1 blockchain that uses a proof-of-stake consensus (PoS) mechanism. Its original token was ONE.
Concerns have previously worried about the rationality of Horizon’s Multisig Wallet on Ethereum, which only requires two out of four subscribers to withdraw money. The founder of chainstride capital crypto, Ape Dev, wrote on Twitter April 2 that the low number of people signing the request would leave the bridge open for “another 9-figure damaging hack.”
The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022
Ape Dev’s prediction seems to have come true as the Horizon bridge is currently falling in price by $100 million.
He’s not the only developer in the cryptocurrency sector who is concerned about the security of token bridges.
Vitalik Buterin discussed the issues with the token bridge in a Reddit post this January. He argues that when bridges are hacked, it threatens liquidity on each affected chain. He also added that as the number of token bridges increases, about 51% of the threat of an attack on one chain could pose a greater risk of spread to others.
Since his prediction, meter’s token bridge, Axie Inifinity’s Ronin bridge and Wormhole bridge, have been hacked with total damage amounting to nearly $1 billion.
Multisigs is an ongoing security issue in attacks. The Ronin bridge is secured by nine validators, only five of which are required to verify a transaction. The attacker took control of the five requested validators and stole more than $600 million.
The market does not appear to have reacted negatively to this attack as the prices of all the coins and tokens mentioned have not changed significantly. However, ONE has fallen 7.4% in the last 24 hours. It is trading at $0.024 according to CoinGecko.