Watch Latest Shows & Videos on Our Official YouTube Channel – BLOCKBYTES

Facebook Twitter Youtube Instagram Tiktok Linkedin Spotify
Blockbytes
  • Home
  • Shows
    • Across The Chains
    • Beyond the Block
    • Featured By Blockbytes
    • The Workflow
    • Byte Sized Videos
    • Quickflip Polygon
    • Legacy Content
  • Articles
    • News
    • Getting Started
    • Project Overviews
    • DeFi
    • NFTs
    • Networks
      • Polygon
      • Iota + Shimmer
      • Fantom
      • Aurora
  • BlockBytes Weekly
  • Meet the Team
    • About Us
    • Contact
Reading: Crypto Hack Casefiles: Horizon Bridge
Share

  • bitcoinBitcoin(BTC)$16,787.14
  • ethereumEthereum(ETH)$1,210.10
  • tetherTether(USDT)$1.00
  • usd-coinUSD Coin(USDC)$1.00
  • binancecoinBNB(BNB)$247.45
  • binance-usdBinance USD(BUSD)$1.00
  • rippleXRP(XRP)$0.344393
  • dogecoinDogecoin(DOGE)$0.073311
  • cardanoCardano(ADA)$0.250973
  • matic-networkPolygon(MATIC)$0.79

Aa
Blockbytes
  • Home
  • Shows
  • Articles
  • BlockBytes Weekly
  • Meet the Team
Search
  • Home
  • Shows
    • Across The Chains
    • Beyond the Block
    • Featured By Blockbytes
    • The Workflow
    • Byte Sized Videos
    • Quickflip Polygon
    • Legacy Content
  • Articles
    • News
    • Getting Started
    • Project Overviews
    • DeFi
    • NFTs
    • Networks
  • BlockBytes Weekly
  • Meet the Team
    • About Us
    • Contact
Have an existing account? Sign In
Follow US
Facebook Twitter Youtube Instagram Tiktok Linkedin Spotify
Blockbytes > Blog > Hacks/Exploits > Crypto Hack Casefiles: Horizon Bridge
Hacks/Exploits

Crypto Hack Casefiles: Horizon Bridge

Brick Frog
Last updated: 2023/01/17 at 9:05 AM
Brick Frog Published January 12, 2023
Share
Harmony Bridge Hack
Harmony Bridge Hack

Welcome to the Crypto Hack Casefiles; in this installment, we cover the Horizon Bridge hack from June 2022. This attack saw around $100 million stolen from Harmony Protocol through some sneaky social engineering by a familiar cybercriminal organization. Did we mention the $1M bounty? 

Contents
The Set UpThe ExploitThe GetawayWhat can we learn from this?Update: 16-Jan 2023
TargetDateAmount StolenType of Attack
Horizon Bridge23/06/2022$100 millionPrivate Key Compromised

The Set Up

Harmony, the U.S. crypto startup behind Horizon, is an Effective Proof-of-Stake layer-1 blockchain that features trustless cross-chain bridges and four shards, which process transactions in parallel. 

The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Like most cross-chain bridges, the Harmony Horizon Bridge has a validation process for approving transactions transferred over the bridge.  The bridge contract operated through a five-person multi-sig contract on Ethereum.

Multi-signature wallets work by having a smart contract with several private keys controlling the use of the wallet. The smart contract usually includes a provision for the minimum number of keys required to approve a transaction. These keys are shared among different persons, with the logic being that the decentralized approval process will make it harder for malicious actors to break into the wallet.

However, the bridge only used a two-of-five validation scheme. This means that only two of the five accounts needed to be compromised for an attacker to approve any malicious transaction. In fact, this vulnerability had been identified by Twitter users as early as April.

The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf

— Ape Dev (@_apedev) April 1, 2022

The private keys were only saved in an encrypted format on the server, and their logic was only available on the server. An attacker could not gain access to those keys without compromising internal employees.

The Exploit

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.

More 🧵

— Harmony 💙 (@harmonyprotocol) June 23, 2022

The Horizon bridge was exploited via the theft of two private keys. It was suspected that the attackers used a phishing scheme to trick at least one software developer into installing malicious software on their laptop. This allowed the attackers to either read chat threads to understand how to operate the bridge and/or gain access to non-public bridge infrastructure code and backdoor access to one or more servers to perform the hack. 

With access to two of the bridge’s private keys, the attacker could create a transaction extracting $100 million from the bridge and confirm it using two accounts under their control. 

The attack resulted in the loss of 85,867 ETH, 990 AAVE, and 78,500,000 AAG on Ethereum, 5,000 BNB, and 640,000 BUSD on BNB Chain, for a total of about $100,428,116.

Shortly after the exploit, the Harmony team detected the attack and was able to change the required confirmations from two to four. The same two addresses that approved the draining transactions also approved the transaction that changed the requirements from two to four signature wallets to secure the bridge.

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.

Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony will advocate for no criminal charges when funds are returned.

— Harmony 💙 (@harmonyprotocol) June 26, 2022

The Getaway

A week after the exploit, the attacker began moving over 36,000 ETH worth over $44 million dollars, according to blockchain data. The exploiter moved an additional 18,00 ETH to three separate wallets. The next day the exploiter moved another 18,000 ETH to another wallet. From that, 6,000 ETH was then sent to another separate wallet. 

The funds were then sent to the privacy swap service Tornado Cash in small batches of 100 ETH.  To this day, the 990 AAVE remains in the attacker’s wallet. The 78.5M AAG tokens were integrated with the Lossless Protocol and were successfully extracted from the hacker’s wallet and secured. 

Harmony’s incident response team found no evidence of any breaches of their smart contract codes or vulnerabilities in the Horizon platform. The team confirmed that private keys were compromised. They would then go on to post a $1 million bounty in exchange for the return of the funds and promised to press no criminal charges. 

The Harmony team would offer one final opportunity for the individuals involved to return the assets with anonymity. The final terms offered  $10 million in addition to the team ceasing the investigation. The bounty remains unclaimed. 

According to a report released by blockchain analytics firm Elliptic, the specific manner in which the funds were stolen and laundered points to the involvement of The Lazarus Group, the same North Korean-affiliated cybercriminal organization linked to the Ronin Bridge hack. 

“Although no single factor proves the involvement of Lazarus, in combination, they suggest the group’s involvement,” says the report.

Other such factors include the fact that many Harmony team members have ties to the Asia Pacific region, and Lazarus tends to go after Asia-based targets, potentially due to the languages used. Further, the only times the hackers have stopped offloading laundered funds are consistent with nighttime hours in the Asia Pacific region.

The reimbursement proposal is posted and available for feedback. We encourage the #HarmonyONE community to read and engage in conversation with each other and the core team.

Thank you for your patience as we work to move forward together as ONE.

Link: https://t.co/9q7dlSrAvW

— Harmony 💙 (@harmonyprotocol) July 27, 2022

What can we learn from this?

Elliptic was able to follow the trails of the Harmony hackers through Tornado Cash transactions. While exchanges and businesses have been notified of this information, it does not help Harmony recover the funds. 

To compensate the 65,000 wallets affected by the hack, Harmony proposed minting up to $4.97 billion worth of its native token, ONE. This proposal faced extreme criticism from the community. The team would then commit to a 0% mint and deployment of the protocol’s treasury towards recovery and development. 

Sometimes smart contract owners focus too much on the security of smart contracts and neglect the human component of security. All employees should receive security training and abide by standardized, company-wide security practices. A system is only as secure as its weakest link, and unfortunately for us all, human nature is notoriously exploitable.

Update: 16-Jan 2023

Crypto sleuth, ZachXBT has charted the movement of $63.5 million (~41,000 ETH) associated with the Harmony bridge hack. The hackers have passed the funds through Railgun (a privacy protocol) before consolidating and depositing them onto three different exchanges. Only Huobi has been confirmed out of the three exchanges.

Binance, in collaboration with Huobi, was able to intercept and freeze funds from the hacker who attempted to withdraw 124 BTC (roughly $2.5 million dollars at the time of writing).

We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered. CeFi helping to keep DeFi #SAFU! 🙏

— CZ 🔶 Binance (@cz_binance) January 16, 2023


You Might Also Like

CRYPTO HACK CASEFILES: RONIN BRIDGE

TAGGED: Harmony

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share this Article
Facebook Twitter Email Copy Link Print
Previous Article SBF Confessions Notes from Sam Bankman-Fried’s Congressional Confessions
Next Article Shimmer 2022 IOTA 2022 – Small Steps, Big Year
- Subscribe Us-
Ad image
Popular News
Shimmer 2022
IOTA 2022 – Small Steps, Big Year
Harmony Bridge Hack
Crypto Hack Casefiles: Horizon Bridge
SBF Confessions
Notes from Sam Bankman-Fried’s Congressional Confessions
QiDao logo on blue background
QiDAO
Ronin Bridge
CRYPTO HACK CASEFILES: RONIN BRIDGE

Latest News

Shimmer 2022
FeaturedIota + Shimmer

IOTA 2022 – Small Steps, Big Year

January 18, 2023
Harmony Bridge Hack
Hacks/Exploits

Crypto Hack Casefiles: Horizon Bridge

January 12, 2023
SBF Confessions
Editor's PicksNews

Notes from Sam Bankman-Fried’s Congressional Confessions

January 12, 2023
QiDao logo on blue background
Project Overviews

QiDAO

January 11, 2023

Stay Connected

Twitter Youtube

Subscribe

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Register Lost your password?