Analysis of the Harmony astronomical price loss

0x01 Event background

On June 24, 2022, Horizon, an asset cross-chain bridge developed by the Layer1 public chain Harmony, between Ethereum and Harmony was attacked, with a loss of about $100 million.

0x02 Attacker information

· Attacker wallet

0x0d043128146654C7683Fbf30ac98D7B2285DeD00

0x9E91ae672E7f7330Fc6B9bAb9C259BD94Cd08715

0x58f4baccb411acef70a5f6dd174af7854fc48fa9

· MultiSigWallet

0x715cdda5e9ad30a0ced14940f9997ee611496de6

· EthManager

0xF9Fb1c508Ff49F78b60d3A96dea99Fa5d7F3A8A6

0x03 Attack Analysis

The contract calling process for the attacker to obtain 13,100 ETH and 5,000 BNB is the same. This article mainly analyzes these two transactions.
The two transactions are

https://etherscan.io/tx/0x27981c7289c372e601c9475e5b5466310be18ed10b59d1ac840145f6e7804c97

https://bscscan.com/tx/0xa72c7262340c25b9258b33dcad089cb3473ed048d1f808f436a96b8ed577cdb1

The above transaction process is as follows:

First step

The address 0xf845a7ee8477ad1fb4446651e548901a2635a915 calls the addTransaction method in the MultiSigWallet complex to add a new transaction to the transaction map.

The second step

The 0x812d8622c6f3c45959439e7ede3c580da06f8f25 address calls the confirmTransaction method in the MultiSigWallet contract to pass in the mapped transaction id.

note: confirmTransaction can only be called by the wallet administrator. Through analysis, the administrator is the administrator address that has been determined when the contract is deployed. Deploy the contract transaction as follows:

It is clear that the above two steps are called by the administrator.

The third step:

In the second step, the executeTransaction method is finally called inside the method, and then the isConfirmed method is called for judgment.

The isConfirmed method determines whether the event is passed or not based on this value, which requires two administrators to execute successfully.

The EthManager contract unlockEth method is called inside the method, and the ETH/BNB funds are finally sent to the attacker’s wallet.

0x05 Capital flows

Token information was stolen by the attacker in the ETH chain:

13,100 Ether

41,200,000 USDC

592 WBTC

9,981,000 USDT

6,070,000 DAI

5,530,000 BUSD

84,620,000 AAG

110,000 FXS

415,000 SUSHI

990 AAVE

43 WETH

5,620,000 FRAX

The attacker converts a part of the Erc20 Token obtained into Ether through a series of exchange transactions

Token information stolen by attackers in the BSC chain:

5,000 BNB 640,000 BUSD

The attackers made a combined profit of $100 million across both chains.

0x06 summary

From the above attack, the attack method is to control the private key of the wallet in the multi-signature contract. Since the transfer of funds only requires the consent of two addresses, when the attacker controls the private key of the wallet of these two addresses, the attacker’s transfer is approved in the cross-chain. The transaction of funds will result in the theft of funds.

· It is recommended to increase the number of multi-signature addresses when transferring funds, so as to avoid transferring funds by controlling the private key of a small number of addresses;

· It is recommended to store the private key of the multi-signature address securely, and avoid storing the private key in the cloud or a vulnerable server。

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• Bookmap Review | 5 Best Crypto Exchanges in the USA
• How to trade Futures on FTX Exchange | OKEx vs Binance
• CoinLoan Review | YouHodler Review | BlockFi Review
• ProfitTradingApp for Binance Review | XT.COM Review
• SmithBot Review | 4 Best Free Open Source Trading Bots
• Coinbase Bots | AscendEX Review | OKEx Trading Bots