Horizon Offers $1M Bounty to Hackers Who Stole $100M | #cybersecurity | #cyberattack

Cryptocurrency Fraud
Fraud Management & Cybercrime

Attackers Appear to Have Compromised a Multi-Signature Wallet

An artist’s representation of the Horizon bridge. (Source: Harmony)

Blockchain company Harmony has offered a $1 million bounty to hackers who stole $100 million worth of Ethereum tokens. It also says it won’t push for criminal charges if the funds are returned.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

The Horizon bridge is a cross-chain protocol, connecting the Ethereum, Binance and Harmony blockchains. It allows the transfers of cryptocurrencies, stablecoins and non-fungible tokens between the Harmony blockchain and the other networks.

The company has attempted to contact the hackers via a transaction to their Ethereum wallet address, Harmony tells Information Security Media Group. At the time of writing this story, the Blockchain Intelligence Group tells ISMG that the stolen funds remain in the hackers’ wallet.

The company has shut down its services to prevent further losses.

The exploit did not impact the trustless Bitcoin (BTC) bridge, which means that the funds and assets stored in decentralized vaults are safe, the company says in its tweet thread.

Private Keys Compromised

The bridge was compromised by “11 transactions that extracted tokens stored in the bridge,” according to Harmony’s blog post. “The estimated value at the time of the attack was approximately $100 million USD,” it says.

Harmony says the FBI is conducting a probe, the company tells ISMG. When contacted, the FBI says it doesn’t confirm investigations.

The theft of funds from Horizon’s Ethereum bridge was the result of the compromise of private keys, says Harmony founder Stephen Tse. The company has put together a 24/7 incident response team, comprising engineers from the U.S., Greece, India and Cambodia.

“The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service and no single machine had access to multiple plaintext keys,” he says.

The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions, he says. The hacker has not made any attempt to anonymize the ownership of these assets, he adds.

The bridge was essentially a multi-signature contract, which required two out of five addresses to validate a transfer, says William Callahan, director of government and strategic affairs at Blockchain Intelligence Group.

In a multi-signature contract, as the name suggests, multiple signatories must approve a transaction before it’s executed.

“If any two out five addresses told the contract to transfer funds to someone, it did. In this case, the hacker likely compromised two addresses and made them transfer the crypto. In this case, the hacker likely compromised two addresses and made them transfer the crypto to his own wallet,” Callahan tells ISMG.

“At this time, the team has mitigated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident and continues to enhance our operations and infrastructure security,” says Tse.

There is currently “no evidence” of a smart contract code breach or the existence of a vulnerability on the Horizon platform, says Tse.

“Our consensus layer of the Harmony blockchain remains secure,” he adds. The consensus mechanism of a blockchain essentially prevents bad actors from cheating. This layer ensures that pre-agreed ownership conditions are maintained.

Singapore-based AAG Ventures, which says it was affected by the Harmony exploit, has managed to freeze $78 million of the $84 million stolen from it. Lossless, the company AAG Ventures says it retained to prevent loss of funds, has published details of its investigation here.

Other Bridge Attacks

The past few months have witnessed dozens of hacks involving blockchain bridges. Chainalysis, a blockchain analysis and investigation company, represents in a graph the impact of these incidents.

The biggest one so far includes Ronin Network, a sidechain tied to blockchain game Axie Infinity. In April, North Korean hackers breached the security of Ronin Network by gaining access to private keys used to forge fake withdrawals. The hackers stole 173,600 ethereum and $25.5 million – totaling nearly $615 million. The hack was discovered five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers. (See: Crypto Hackers Exploit Ronin Network for $615 Million)

The company plans to re-open the bridge on Tuesday, and reimburse users whose funds were stolen. “We plan on re-opening the Ronin Bridge on June 28, with all user funds returned,” it says in a blog post.

In February, the Wormhole network, a token bridge that allows users to trade multiple cryptocurrencies across the Ethereum and Solana blockchains, was exploited for 120,000 ETH tokens ($321 million). It restored all funds and brought the network back up the same day (see: Wormhole Blockchain Bridge Exploited for Over $300 Million).

The same month, Meter, a blockchain infrastructure company that provides multi-chain bridging and allows users to trade multiple cryptocurrencies across Ethereum and other public chains, was also exploited for $4.4 million.

In August last year, a hacker – infamously dubbed “Mr. White Hat” – drained the Poly Network protocol of more than $600 million in cryptocurrency, before gradually returning the funds. Experts suggested at the time that the hacker likely had trouble laundering the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen)

Original Source link

Leave a Comment

5 + two =