Harmony hacker sends stolen funds to Tornado Cash mixer

June 28, 2022 Coin Telegraph

The exploiter seems to have rejected the Harmony team’s bounty offer of $1 million to return the $100 million stolen from the Horizon Bridge token bridge.

The funds from Harmony’s Horizon Bridge have begun to move into the Tornado Cash Ethererum mixer, signaling that the attacker has no intention of accepting the $1 million bounty offered.

The decision to obfuscate the ill-gotten gains answers questions about whether the Harmony team’s offer of just 1% of the $100 million in crypto funds stolen on June 24 would be enough to convince the exploiter to return them.

#PeckShieldAlert ~6k $ETH (~$7.1m) into @TornadoCash from @harmonyprotocol exploiters
Intermediary address: 0x432...47ae pic.twitter.com/AR9dmJRQet
— PeckShieldAlert (@PeckShieldAlert) June 27, 2022

A total of 18,036.3 ETH worth about $21 million was moved out of the Horizon Bridge exploiter’s primary wallet at 03:10 am ET on June 28. These funds were then divided equally three ways and sent to three different addresses in single transactions respectively, over the next 10 hours.

Tornado Cash supports mixing a maximum of 100 ETH at a time, which means large sums can easily take several hours to mix. Mixing ETH is a privacy measure designed to obfuscate the transaction path of coins so they cannot be traced back to previous transactions.

The first and second wallets that received ETH from the exploiter’s primary wallet have completed mixing the coins and are now left with about 16.3 ETH collectively, an amount likely too small to bother with.

The third wallet was busy sending batches of 100 ETH to Tornado in eight-minute intervals and still had 2,800 coins remaining as of the time of writing.

Cointelegraph has not received a reply from the Harmony team on what it plans to do to replace the stolen funds in the bridge.

The project’s Twitter account reaffirmed on June 27 that the team was working with “two highly reputable blockchain tracing and analysis partners,” along with the Federal Bureau of Investigation, to investigate the hack.

1/ We are aware the hacker has begun to move funds through Tornado Cash. The team is working with two highly reputable blockchain tracing and analysis partners, and collaborating with the FBI as part of an investigation into this criminal act.
— Harmony (@harmonyprotocol) June 28, 2022

About $80 million in ETH is still in the explorer's primary wallet. They could possibly return a portion of the stolen funds to Horizon, or they may be taking a break as it has taken the exploiter over 13 hours to mix just $21 million.

Although the initial haul was valued at about $100 million at the time, positive ETH price fluctuations have increased the dollar value to $101.5 million.

Stephen Tse, the founder of Harmony, confirmed on June 25 that the exploiter took control of the required two Horizon Bridge signees for the multisig address used to secure funds. He noted that the Ethereum side of the bridge affected by the exploit was moved to a more secure multisig wallet that required four signees.

Horizon is the latest in a growing list of token bridges that have been attacked. The largest token bridge to be hacked was Poly Network in 2021, which lost $610 million that was almost entirely returned.

In total, over $1 billion has been extracted from the Meter, Wormhole, Ronin, and now Horizon token bridges through nefarious means in 2022 so far.

Harmony offers $1M bounty, but is it big enough?

June 27, 2022 Coin Telegraph

Harmony offers M bounty, but is it big enough?

Coin Telegraph

The Harmony team says it will offer $1 million to the hacker who exploited the Horizon Bridge for $100 million, but that may not be enough to get the funds back.

The Harmony layer-1 blockchain project team has offered a bounty equal to just 1% of the $100 million in crypto stolen from the Horizon Bridge hack last week.

Harmony tweeted on June 26 that the team had committed $1 million for the return of the funds that were stolen from the Horizon Bridge on June 23. It added, “Harmony will advocate for no criminal charges when funds are returned.”

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.

Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony will advocate for no criminal charges when funds are returned.
— Harmony (@harmonyprotocol) June 26, 2022

However, concerns have been raised that the modest bounty sum may not be enough to incentivize the attacker to return the funds.

The Horizon Bridge is a token bridge between the Harmony blockchain and the Ethereum network, Binance Chain, and Bitcoin. The Bitcoin bridge was not affected in this exploit.

Compared to other high-profile exploits this year, Harmony’s bounty offer ranks low. The $10 million offered to the Rari Fuse attacker in May was 12.5% of the total stolen. The Beanstalk Finance team offered $7.6 million which was 10% of the total exploited from the protocol in April.

Harmony’s bounty offer is so low that the crypto trader known on Twitter as Degen Spartan called it an “insulting amount.” He added, “imagine losing 100m and thinking you're in a position to lowball for a 1% bounty lmwo these people are just doing performance art to mitigate legal liability.”

1M?

insulting amount, gfy https://t.co/TgZ0gDOC43
— 찌 G 跻じ Goblin of the (@DegenSpartan) June 26, 2022

In an incident response update on the Horizon bridge hack on June 25, Harmony founder Stephen Tse tweeted that the hack was not the result of a smart contract code breach, instead, the team found evidence that private keys were compromised which led to the breach of the bridge.

1/ An incident response update on the Horizon bridge hack

Confidentiality is key to maintain integrity as part of this ongoing investigation. The omission of specific details is to protect sensitive data in the interest of our community.
— stephen tse s.one stse.eth (@stse) June 26, 2022

Tse said that the Ethereum side of the bridge had migrated “to a 4-5 multisig since the incident.” The vulnerability of the multisig wallet requiring just two out of five signers was brought up by a community member in April, but the issue was not addressed by the Harmony team until now.

A multisig wallet is a crypto wallet that requires multiple key holders to approve a transaction. These wallets are commonly used at crypto projects.

As of the time of writing, the Horizon Bridge hacker has not moved the stolen funds into Tornado Cash, an Ether (ETH) mixer, or any other anonymizer.

Hope is not lost for Harmony, as its $1 million bounty is not the smallest proportional to the amount of funds lost. In 2021, the Poly Network interoperability platform was hacked for $610 million. The team’s bounty offer of $500,000 was 0.08% of the total stolen. The offer was rejected, but luckily the funds were returned anyway.

Harmony’s $100M Hack Was Due to a Compromised Multi-Sig Scheme, Says Analyst

June 26, 2022 Bitcoin.com

Breaking: Harmony’s Horizon Bridge hacked for $100M

June 24, 2022 Coin Telegraph

<div>Breaking: Harmony's Horizon Bridge hacked for 0M</div>

Coin Telegraph

The layer-1 blockchain’s main bridge between Ethereum, Binance Chain, and Bitcoin has been exploited for nine figures, but says its BTC bridge has not been affected.

The Horizon Bridge to the Harmony One layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).

The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.

Starting at about 7:08 am until 7:26 am ET, 11 transactions were made from the bridge for various tokens. They have since begun sending tokens to a different wallet to swap for ETH on the Uniswap decentralized exchange (DEX), then sending the ETH back to the original wallet.

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.

More
— Harmony (@harmonyprotocol) June 23, 2022

So far, Frax (FRAX), Wrapped Ether (WETH). Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (DAI), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) have been stolen from the bridge through this exploit.

The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin. Harmony, the operator of the bridge, announced late on June 23 that the bridge has been halted. It said the BTC bridge and its assets have not been affected by the attack.

The Harmony One team also said it was working with “national authorities and forensic specialists” to determine who is responsible. A post-mortem is sure to follow.

The developers and the co-founder of Harmony One Nick White did not respond to requests for comment. Harmony One is a layer-1 blockchain using proof-of-stake consensus. Its native token is ONE.

Concerns have previously been expressed as to the soundness of Horizon’s multisig wallet on Ethereum which only required two out of the four signees to drain the funds. A founder of Chainstride Capital crypto-focused venture fund Ape Dev noted on Twitter April 2 that the low number of required signers would leave the bridge open for “another 9 figure hack.”

The security of the bridge is currently predicated on a multisig wallet deployed at 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m). pic.twitter.com/sgYmyPrYgf
— Ape Dev (@_apedev) April 1, 2022

Ape Dev’s prediction appears to have become a reality as the bridge is now down $100 million in assets.

He is far from the only developer in crypto to have qualms with the security of token bridges.

Vitalik Buterin discussed the issues with token bridges in a Reddit post this January. He posited that when bridges get exploited, it threatens the liquidity on each chain affected. He added that as the amount of token bridges increases, the threat of a 51% attack on one chain could present greater contagion risk to others.

Since his prediction, Meter’s token bridge, Axie Inifinity’s Ronin Bridge and the Wormhole Bridge were each exploited for nearly a combined $1 billion.

The national authorities and forensic specialists should be investigating *you* to figure out what kind of broken security practices allowed this "theft" to happen.
— Chris Blec (@ChrisBlec) June 24, 2022

Multisigs are an ongoing security issue in attacks. The Ronin Bridge was secured by nine validators, only five of which were required to verify a transaction. The attacker took control of the required five validators and extracted over $600 million in assets.

The market does not yet appear to have responded to the attack as prices of all the coins and tokens in question have not made a significant move. However, ONE has dropped 7.4% over the past 24 hours, with most of the fall coming in the past 5 hours. It is trading at $0.024 according to CoinGecko.

Horizon Bridge

Share this video