By Olga Kharif, Sidhartha Shukla and Emily Nicolle
Hackers looted about $100 million from a so-called cryptocurrency bridge, again exposing a key vulnerability in the digital-asset ecosystem.
Blockchain Harmony said in a tweet that the hack of its Horizon bridge, which lets people swap coins between different blockchains, took place Thursday morning. It has “begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
Most of the crypto world is divided into silos: The Bitcoin and Ethereum networks, for example, can only operate using Bitcoin and Ethereum tokens. As more cryptocurrencies gain adoption and traders demand the ability to interact seamlessly with one another, projects like Harmony are developing platforms known as bridges that can accept a variety of tokens and move them fluidly between blockchains.
But bridges are particularly vulnerable to hacks, as their technology is complex and they are often run by anonymous teams. The way they safeguard funds is often unclear. Sophisticated hackers have repeatedly targeted them.
Harmony’s native ONE token, used to pay transaction fees, earn rewards or vote on changes to the platform, dropped 12% over the past 24 hours, according to CoinGecko. The underlying Harmony blockchain has more than $1 billion in total value locked to the project, according to its website.
It wasn’t immediately clear whether any user funds had been stolen.
‘Private Key Compromise’
The attack on Horizon, which offers cross-chain transfers between Ethereum and Binance’s Smart Chain, marks the third major bridge hack this year. In February, hackers stole more than $300 million from the Wormhole bridge, followed by a $620 million theft from the Ronin bridge a month later.
Even before to the Horizon hack, more than $1 billion had been stolen from bridges, researcher Chainalysis has estimated.
In Horizon’s case, “the theft seems to have happened due to a private key compromise,” said Xuxian Jiang, chief executive officer of security firm PeckShield, which has been contacted by Harmony for support. Harmony did not immediately respond to requests for comment.
The Horizon bridge is managed and secured by four wallets, Jiang said, and an authentication from at least two of the wallets — each supported by multiple signatures — is required to validate and execute a transaction. On this occasion, an attacker was able to compromise the private information required to access these wallets, and then trigger transactions that withdrew assets from the Horizon bridge to an external wallet, Jiang said.
The hackers made off with cryprocurrencies including Ether and BNB as well as stablecoins Tether, USDC and DAI, researcher Elliptic said in a tweet. Those tokens were then swapped for Ether using so-called decentralized exchanges in what Elliptic called “a commonly-seen technique with these hacks.”
Horizon uses a security mechanism similar to the one employed by the Ronin bridge, linked to the popular blockchain game Axie Infinity, which required five out of nine validators required to sign off at the time it was hacked. Harmony is popular for blockchain games like Mars Colony and DeFi Kingdoms, according to its website.
After the Ronin attack, which was attributed to a North Korean hacker group, owner Sky Mavis sharply increased the number of validators required to sign off on transactions — pledging to eventually boost it to over 100.
Thursday’s attack on the Horizon bridge followed an exploit related to five user wallets on Harmony’s network in January, in which the company said a thief had siphoned 19,314,598 ONE tokens, worth roughly $5.8 million at the time.
The amount of money locked on bridges connected to the Ethereum blockchain declined 60% in the last 30 days to less than $12 billion, per tracker Dune, triggered by a wider crypto market slump and liquidity concerns surrounding several large crypto players including Celsius Network, Babel Finance, Three Arrows Capital and Voyager Digital.
(Updates to add context from third paragraph and throughout)
More stories like this are available on bloomberg.com