How were hackers able to exploit the bridge and what happens now?
How was the Harmony Horizon Bridge Exploited?
On June 23rd, the Harmony Horizon Bridge was exploited for nearly $100M. The attacker decrypted private keys of the MultiSigWallet, allowing the nefarious actors to call a smart contract function to transfer tokens on the Ethereum side of the bridge. Assets were stolen in the form of $BUSD, $USDC, $ETH and $WBTC and immediately swapped to $ETH.
The Horizon bridge operated with a 2/5 multisig contract despite multiple warnings from the community that this could be exploited. This meant that anyone with access to two of these five wallet addresses could gain access to the funds. The hacker compromised the server that these addresses ran on, allowing them to gain access to the private keys. Once exploited, this meant that bridged assets on Harmony were unbacked. 1USDC was now only worth 1/5 of $USDC. Only after this happened did the team migrate to a 4/5 multisig, but many argue this was too little too late and $ONE is already in the grave.
Harmony’s Offers a Reward
The Harmony team offered a $1M bounty for the hackers to return their funds, promising to advocate against criminal charges if they accept. They also reached out to the FBI and two other experts in blockchain tracking (Chainanalysis and AnChainAI) to help them recover the lost funds. So far, the hackers have ignored this bounty and have begun transferring the funds through TornadoCash to help cover their trace. They have already moved about 46% or 42K $ETH into Tornado Cash.
In a last ditch effort, Harmony upped the bounty to $10M and said they will cease further investigations, giving them until July 4th 23:00 GMT to accept this offer. In an official statement, they said "The incident response team has found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure." So far, the hackers have ignored both bounties, showing no signs of returning the stolen funds.
Can Harmony Recover from this Hack?
The future of the Harmony blockchain is certainly in question. $ONE has fallen over 95% from its ATH. The hackers don't seem to want to cooperate, and much of the community has lost faith in the team because of this exploit. This event could be the death knell for the chain as users and projects may start looking towards other chains to hold their funds and build.
Multiple similar attacks to bridges have occurred recently, including the $600M Axie Infinity’s Ronin bridge hack and the $325M Wormhole hack on Solana. These were even larger exploits, but the respective blockchains were able to survive. Harmony will continue building and working on ways to recover the funds and return them to their users. Even if they never catch the hackers, it’s likely Harmony will recover from this incident and move forward to building and improving their ecosystem, hopefully learning from their mistakes for the better.
What is a Multi-Sig Wallet?
A MultiSig wallet is a wallet that requires multiple signatures to perform transactions. It requires more than one private key to authorize a transaction.MultiSig wallets are most widely used by crypto protocols to spread controlling power among multiple individuals instead of one person.
What is a ‘bridge’ in crypto?
As the crypto ecosystem continues to evolve and new chains are created, bridges allow different chains to interact with each other. Most commonly, bridges are used to port cryptocurrencies from one chain to another. Unfortunately we have seen a number of exploits occur around bridges, proving the best way to keep your assets safe is to keep them on the chain they originated from.
What is TornadoCash?
TornadoCash is a protocol that provides greater privacy to those who use it. By using smart contracts TornadoCash allows individuals to make deposits from one address and withdraw to another.