Welcome to the Crypto Hack Casefiles; in this installment, we cover the Horizon Bridge hack from June 2022. This attack saw around $100 million stolen from Harmony Protocol through some sneaky social engineering by a familiar cybercriminal organization. Did we mention the $1M bounty?
|Type of Attack
|Private Key Compromised
The Set Up
Harmony, the U.S. crypto startup behind Horizon, is an Effective Proof-of-Stake layer-1 blockchain that features trustless cross-chain bridges and four shards, which process transactions in parallel.
The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Like most cross-chain bridges, the Harmony Horizon Bridge has a validation process for approving transactions transferred over the bridge. The bridge contract operated through a five-person multi-sig contract on Ethereum.
Multi-signature wallets work by having a smart contract with several private keys controlling the use of the wallet. The smart contract usually includes a provision for the minimum number of keys required to approve a transaction. These keys are shared among different persons, with the logic being that the decentralized approval process will make it harder for malicious actors to break into the wallet.
However, the bridge only used a two-of-five validation scheme. This means that only two of the five accounts needed to be compromised for an attacker to approve any malicious transaction. In fact, this vulnerability had been identified by Twitter users as early as April.
The private keys were only saved in an encrypted format on the server, and their logic was only available on the server. An attacker could not gain access to those keys without compromising internal employees.
The Horizon bridge was exploited via the theft of two private keys. It was suspected that the attackers used a phishing scheme to trick at least one software developer into installing malicious software on their laptop. This allowed the attackers to either read chat threads to understand how to operate the bridge and/or gain access to non-public bridge infrastructure code and backdoor access to one or more servers to perform the hack.
With access to two of the bridge’s private keys, the attacker could create a transaction extracting $100 million from the bridge and confirm it using two accounts under their control.
The attack resulted in the loss of 85,867 ETH, 990 AAVE, and 78,500,000 AAG on Ethereum, 5,000 BNB, and 640,000 BUSD on BNB Chain, for a total of about $100,428,116.
Shortly after the exploit, the Harmony team detected the attack and was able to change the required confirmations from two to four. The same two addresses that approved the draining transactions also approved the transaction that changed the requirements from two to four signature wallets to secure the bridge.
A week after the exploit, the attacker began moving over 36,000 ETH worth over $44 million dollars, according to blockchain data. The exploiter moved an additional 18,00 ETH to three separate wallets. The next day the exploiter moved another 18,000 ETH to another wallet. From that, 6,000 ETH was then sent to another separate wallet.
The funds were then sent to the privacy swap service Tornado Cash in small batches of 100 ETH. To this day, the 990 AAVE remains in the attacker’s wallet. The 78.5M AAG tokens were integrated with the Lossless Protocol and were successfully extracted from the hacker’s wallet and secured.
Harmony’s incident response team found no evidence of any breaches of their smart contract codes or vulnerabilities in the Horizon platform. The team confirmed that private keys were compromised. They would then go on to post a $1 million bounty in exchange for the return of the funds and promised to press no criminal charges.
The Harmony team would offer one final opportunity for the individuals involved to return the assets with anonymity. The final terms offered $10 million in addition to the team ceasing the investigation. The bounty remains unclaimed.
According to a report released by blockchain analytics firm Elliptic, the specific manner in which the funds were stolen and laundered points to the involvement of The Lazarus Group, the same North Korean-affiliated cybercriminal organization linked to the Ronin Bridge hack.
“Although no single factor proves the involvement of Lazarus, in combination, they suggest the group’s involvement,” says the report.
Other such factors include the fact that many Harmony team members have ties to the Asia Pacific region, and Lazarus tends to go after Asia-based targets, potentially due to the languages used. Further, the only times the hackers have stopped offloading laundered funds are consistent with nighttime hours in the Asia Pacific region.
What can we learn from this?
Elliptic was able to follow the trails of the Harmony hackers through Tornado Cash transactions. While exchanges and businesses have been notified of this information, it does not help Harmony recover the funds.
To compensate the 65,000 wallets affected by the hack, Harmony proposed minting up to $4.97 billion worth of its native token, ONE. This proposal faced extreme criticism from the community. The team would then commit to a 0% mint and deployment of the protocol’s treasury towards recovery and development.
Sometimes smart contract owners focus too much on the security of smart contracts and neglect the human component of security. All employees should receive security training and abide by standardized, company-wide security practices. A system is only as secure as its weakest link, and unfortunately for us all, human nature is notoriously exploitable.
Update: 16-Jan 2023
Crypto sleuth, ZachXBT has charted the movement of $63.5 million (~41,000 ETH) associated with the Harmony bridge hack. The hackers have passed the funds through Railgun (a privacy protocol) before consolidating and depositing them onto three different exchanges. Only Huobi has been confirmed out of the three exchanges.
Binance, in collaboration with Huobi, was able to intercept and freeze funds from the hacker who attempted to withdraw 124 BTC (roughly $2.5 million dollars at the time of writing).