It’s happened again, folks – another bridge has been hacked. Bridges between blockchains are prime targets for attackers due to their architecture, and hackers have been absolutely rinsing them lately. This attack brings the total funds lost from bridges in 2022 alone up to a staggering $1B+ total. The Harmony bridge was hacked earlier today, June 23rd, for a $100 million USD loss.
Harmony Protocol is an alternative Layer 1 blockchain that has been slowly dying out in the bear. This is an absolutely devastating loss for the project – the chain’s DeFi TVL at the time of the attack was only $85 million USD.
The market cap of the chain’s token, ONE, is currently just under $300 million USD, and currently in freefall as users struggle to figure out what the future of the chain will be.
The attack investigation is still underway, and the mechanism is not known at this time. The attacker’s funds currently sit in 0x0d043128146654C7683Fbf30ac98D7B2285DeD00, and he has consolidated his ill gotten gains into Ether.
Past attacks on bridges have been through a range of vulnerabilities. The Ronin bridge fell victim to an attacker gathering the threshold number of keys needed to approve a transaction. The Wormhole exploit was a bug in the smart contracts verifying the bridge guardian signature.
We do not know conclusively yet how the Horizon bridge was exploited. Initial analysis suggests that the bridge was using a 2/5 multisig, and the attacker gained access to two of the multisig signer keys. Or, potentially, an inside job, although it would be unfair to cast aspersions at this time with so little information.
One thing we do know is that the attack occurred almost 12 hours before the team released a statement. This suggests they may not have had great monitoring in place. We saw this also with the Ronin exploit, where the team only found out they lost over half a billion dollars when a user complained about the bridge not working – a week later!
Putting monitoring in place is not hard – you can do it yourself for free, even. It should be a key part of any serious operator’s toolkit.
That’s all we know right now. I’ll continue to update this post as information comes in. It’s not looking good for the project, though, now that the Harmony bridges have been hacked.
Stay safe out there, anon.