Harmony’s cross-chain protocol, the Horizon Bridge, has been hacked, leading to a loss of funds of around $100 million.
Stolen Altcoins Swapped For ETH
Earlier today, the Horizon Bridge, which facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin, was targeted by hackers. They conducted a series of eleven transactions that siphoned off various altcoins. The tokens were then sent to a different wallet, from which they were swapped for Ether (ETH) on the Uniswap decentralized exchange (DEX). Around $100 million worth of funds were stolen through altcoins like Frax (FRAX), Wrapped Ether (wETH), Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC), and USD Coin (USDC).
The news broke when the Harmony team tweeted about it this morning,
“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
Team Discloses Initial Info
According to the statements from the Harmoney team, the hack will not affect the trustless BTC bridge and the funds and assets stored in the decentralized vaults. The team has also identified the wallet, which was responsible for swapping the stolen tokens for ETH, and has disclosed the address on Twitter. They also announced that necessary actions have been taken to prevent further transactions by notifying exchanges and pausing the Horizon bridge. Finally, the team also announced that it is closely working with national authorities and forensic specialists to identify the culprits behind the hack and will soon disclose a post-mortem report.
Multisig Concerns Valid
The community had previously raised concerns about the stability of the bridge’s multisig wallet on Ethereum. Reportedly only two of the four multisigs secured the bridge, indicating that two signees were enough to move funds away. An industry expert had even pointed this out on Twitter back in April, saying that the low number of required signers leaves the bridge vulnerable to a significant hack. The fact that the bridge was actually exploited only vindicates these concerns that were raised months ago.
Multisigs have been posing serious security threats. For example, Axie Infinity’s Ronin Bridge was hacked when hackers took control of the required five out of the nine validators and stole over $600 million in assets. Another cross-chain protocol, Wormhole, was also attacked when the hackers exploited a vulnerability in the bridge.