Hackers Steal $100 Million by Exploiting Crypto’s Weak Link

Hackers stole approximately $100 million from a so-called cryptocurrency bridge, exposing yet another critical vulnerability in the digital-asset ecosystem.

Source: Bloomberg | Published on June 24, 2022

SEC fine for cryptocurrency trading company

The hack of Blockchain Harmony's Horizon bridge, which allows people to swap coins between different blockchains, occurred Thursday morning, according to a tweet from the company. It has "begun working with national authorities and forensic experts to identify the perpetrator and recover the stolen funds."

The majority of the crypto world is divided into silos: for example, the Bitcoin and Ethereum networks can only operate using Bitcoin and Ethereum tokens. As more cryptocurrencies become popular and traders demand the ability to interact seamlessly with one another, projects such as Harmony are developing bridge platforms that can accept a variety of tokens and move them fluidly between blockchains.

Bridges, on the other hand, are particularly vulnerable to hacking because their technology is complex and they are frequently run by anonymous teams. It is frequently unclear how they safeguard funds. They have been repeatedly targeted by sophisticated hackers.

According to CoinGecko, Harmony's native ONE token, which is used to pay transaction fees, earn rewards, and vote on platform changes, has dropped 12 percent in the last 24 hours. According to the project's website, the underlying Harmony blockchain has more than $1 billion in total value locked up.

It was unclear whether any user funds had been stolen.

The 'Private Key Compromise'

Horizon is the third major bridge hack this year, offering cross-chain transfers between Ethereum and Binance's Smart Chain. Hackers stole over $300 million from the Wormhole bridge in February, followed by a $620 million theft from the Ronin bridge a month later.

According to researcher Chainalysis, more than $1 billion had been stolen from bridges prior to the Horizon hack.

In Horizon's case, "the theft appears to have occurred due to a private key compromise," according to Xuxian Jiang, CEO of security firm PeckShield, which has been contacted by Harmony for assistance. Harmony did not respond to requests for comment right away.

According to Jiang, the Horizon bridge is managed and secured by four wallets, and authentication from at least two of the wallets – each with multiple signatures – is required to validate and execute a transaction. An attacker was able to compromise the private information required to access these wallets on this occasion, and then trigger transactions that transferred assets from the Horizon bridge to an external wallet, according to Jiang.

According to researcher Elliptic, the hackers stole cryprocurrencies such as Ether and BNB, as well as stablecoins such as Tether, USDC, and DAI. These tokens were then exchanged for Ether via decentralized exchanges, which Elliptic described as "a commonly-seen technique with these hacks."

Ronin Hacking

Horizon employs a security mechanism similar to that used by the Ronin bridge, which is linked to the popular blockchain game Axie Infinity and required five out of nine validators to sign off when it was hacked. According to its website, Harmony is well-known for blockchain games such as Mars Colony and DeFi Kingdoms.

Following the Ronin attack, which was blamed on a North Korean hacker group, owner Sky Mavis dramatically increased the number of validators required to sign off on transactions, promising to eventually increase it to more than 100.

The Horizon bridge attack on Thursday followed an exploit related to five user wallets on Harmony's network in January, in which the company said a thief stole 19,314,598 ONE tokens, worth approximately $5.8 million at the time.

According to tracker Dune, the amount of money locked on bridges connected to the Ethereum blockchain has dropped by 60% in the last 30 days to less than $12 billion, owing to a broader crypto market slump and liquidity concerns surrounding several large crypto players such as Celsius Network, Babel Finance, Three Arrows Capital, and Voyager Digital.