United States-based blockchain bridge Horizon, a service that links Ethereum with the Harmony decentralized blockchain platform, is the latest project to fall victim to a crypto hack.
The blockchain bridge was hit for about $100 million in cryptocurrency as the attackers potentially exploited a signature vulnerability that outside security researchers had been warning about on social media for months. Harmony has not yet released any information about the actual cause of the breach, and the Horizon bridge remains closed as the company remediates the issue.
Blockchain bridge latest in string of high-dollar attacks on Ethereum services
Harmony has multiple blockchain bridges to different types of currencies; the crypto hack appears to have only impacted the bridge to Ethereum, lending some credence to the theory that a proposed vulnerability circulating on Twitter since at least early April was exploited.
While Harmony has yet to comment on exactly what caused the crypto hack, a June 23 tweet from the company fingered a wallet address that the hackers apparently used to process the stolen funds (made up of a variety of crypto asset types) and convert everything to Ethereum. A June 27 update from the company indicated that the hackers were moving the stolen funds through Tornado Cash to anonymize them and that Harmony was working with the FBI and two outside security firms in an investigation of the incident. The company has also offered a $1 million bounty with a promise of no criminal charges if the funds are returned.
The Horizon blockchain bridge was closed on June 23 as part of this investigation and remains down as it proceeds. The company is issuing updates on the situation via Twitter.
The incident follows the biggest attack to date on a decentralized finance platform (and one of the largest overall crypto thefts in history), the March theft of $600 million from popular NFT game Axie Infinity. There has been something of a trend of attacks on defi services in the past year, with a growing perception that they have lax security and are open to both code-based exploits and social engineering approaches. A February attack on the Wormhole bridge netted $325 million in stolen funds; about $10 billion was stolen in crypto hacks of defi platforms in 2021, and some analysts project this number going up by at least several billion by the time 2022 comes to a close.
Did the Horizon crypto hack stem from a vulnerability identified on Twitter?
The potential flaw in the blockchain bridge, articulated on Twitter by user “Ape Dev,” points out that the entire system relies on a wallet that authorizes transactions that has four owners. Two of the four signers are all that is needed to authorize a transaction. The crypto hackers may have compromised two of these accounts through a variety of means such as obtaining private keys by breaching a hardware security module (HSM), or finding an exploit in the validation code. There is also always the possibility of it being an inside job, or the credentials to two of the necessary signature accounts being found in a breach elsewhere.
Defi in general has become a popular target for crypto hacks due to a long string of security lapses, but blockchain bridges are of particular interest to attackers as they store substantial amounts of crypto token liquidity to facilitate the cross chain transfers of funds. Attackers can tap directly into these funds and abscond quickly, as happened in this case.
The string of defi crypto hacks in recent months has cast a light on fundamental security shortcomings of the entire enterprise. These platforms are not subject to regulations, do not have to provide transparency to users about how funds and protocols are secured, and are not really held to exacting security standards by anything other than the possibility of losing a large amount of money to a breach. Defi platforms that fall victim to a hack or scam are often reduced to offering a “bounty” of the sort that Harmony is offering to recover the stolen funds, a strategy that has proven to rarely work.
Harmony’s own ONE token dropped 12% in the immediate wake of news of the breach, and has continued on a slight downward trend since. The token had already been struggling with the general crash in crypto of recent months, currently down to $0.0228 from a peak value of 0.38 in early January.
Blockchain bridges will almost certainly remain popular targets for crypto hackers until, at minimum, the industry moves to better standard trustless models and invites reputable third party security audits. Nick Percoco, Chief Security Officer of Kraken, expands on what will be needed going forward if defi platforms are to shake their reputation as a risky place to park funds and assets: “High profile attacks, such as this one, continue to reinforce the importance of the broader crypto ecosystem prioritizing a security-first mindset and remaining vigilant. Criminals constantly search for new attack vectors and vulnerabilities, which means that security protocols need to be consistently invested in and updated. We anticipate the spotlight on this event will focus the minds of cyber security teams across the blockchain ecosystem and will result in more robust protocols moving forward.”