Cryptocurrency Fraud
,
Fraud Management & Cybercrime
Attackers Appear to Have Compromised a Multi-Signature Wallet
See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
The Horizon bridge is a cross-chain protocol, connecting the Ethereum, Binance and Harmony blockchains. It allows the transfers of cryptocurrencies, stablecoins and non-fungible tokens between the Harmony blockchain and the other networks.
The company has attempted to contact the hackers via a transaction to their Ethereum wallet address, Harmony tells Information Security Media Group. At the time of writing this story, the Blockchain Intelligence Group tells ISMG that the stolen funds remain in the hackers’ wallet.
The company has shut down its services to prevent further losses.
The exploit did not impact the trustless Bitcoin (BTC) bridge, which means that the funds and assets stored in decentralized vaults are safe, the company says in its tweet thread.
Private Keys Compromised
The bridge was compromised by “11 transactions that extracted tokens stored in the bridge,” according to Harmony’s blog post. “The estimated value at the time of the attack was approximately $100 million USD,” it says.
Harmony says the FBI is conducting a probe, the company tells ISMG. When contacted, the FBI says it doesn’t confirm investigations.
#Harmony #Bridge which was recently exploited. Had crypto worth about 105M exploited on ETH and BSC.
ETH along with 11 tokens were stolen, which were later swapped for ETH.
Funds stolen remain currently unspent in both exploiter’s ETH & BSC addresses pic.twitter.com/hT4S5twnAe— Blockchain Intelligence Group (@blocksearch) June 24, 2022
The theft of funds from Horizon’s Ethereum bridge was the result of the compromise of private keys, says Harmony founder Stephen Tse. The company has put together a 24/7 incident response team, comprising engineers from the U.S., Greece, India and Cambodia.
“The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service and no single machine had access to multiple plaintext keys,” he says.
The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions, he says. The hacker has not made any attempt to anonymize the ownership of these assets, he adds.
The bridge was essentially a multi-signature contract, which required two out of five addresses to validate a transfer, says William Callahan, director of government and strategic affairs at Blockchain Intelligence Group.
In a multi-signature contract, as the name suggests, multiple signatories must approve a transaction before it’s executed.
“If any two out five addresses told the contract to transfer funds to someone, it did. In this case, the hacker likely compromised two addresses and made them transfer the crypto. In this case, the hacker likely compromised two addresses and made them transfer the crypto to his own wallet,” Callahan tells ISMG.
“At this time, the team has mitigated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident and continues to enhance our operations and infrastructure security,” says Tse.
There is currently “no evidence” of a smart contract code breach or the existence of a vulnerability on the Horizon platform, says Tse.
“Our consensus layer of the Harmony blockchain remains secure,” he adds. The consensus mechanism of a blockchain essentially prevents bad actors from cheating. This layer ensures that pre-agreed ownership conditions are maintained.
Singapore-based AAG Ventures, which says it was affected by the Harmony exploit, has managed to freeze $78 million of the $84 million stolen from it. Lossless, the company AAG Ventures says it retained to prevent loss of funds, has published details of its investigation here.
Other Bridge Attacks
The past few months have witnessed dozens of hacks involving blockchain bridges. Chainalysis, a blockchain analysis and investigation company, represents in a graph the impact of these incidents.
4/ Value stolen from #DeFi protocols now account for the vast majority of stolen funds. And as more value flows through cross-chain bridges, they have become more attractive targets. We’ve seen this before with attacks on the Ronin Bridge and Wormhole Network. pic.twitter.com/D9YKPmJsfE
— Chainalysis (@chainalysis) June 24, 2022
The biggest one so far includes Ronin Network, a sidechain tied to blockchain game Axie Infinity. In April, North Korean hackers breached the security of Ronin Network by gaining access to private keys used to forge fake withdrawals. The hackers stole 173,600 ethereum and $25.5 million – totaling nearly $615 million. The hack was discovered five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers. (See: Crypto Hackers Exploit Ronin Network for $615 Million)
The company plans to re-open the bridge on Tuesday, and reimburse users whose funds were stolen. “We plan on re-opening the Ronin Bridge on June 28, with all user funds returned,” it says in a blog post.
In February, the Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the Ethereum and Solana blockchains, was exploited for 120,000 ETH tokens ($321 million). It restored all funds and brought the network back up the same day (see: Wormhole Blockchain Bridge Exploited for Over $300 Million).
The same month, Meter, a blockchain infrastructure company that provides multi-chain bridging and allows users to trade multiple cryptocurrencies across Ethereum and other public chains, was also exploited for $4.4 million.
In August last year, a hacker – infamously dubbed “Mr. White Hat” – drained the Poly Network protocol of more than $600 million in cryptocurrency, before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen)
