Harmony’s Horizon Bridge Hack

Matthew Barrett
Harmony
Published in
6 min readJun 24, 2022

--

This article will be updated throughout the investigation. Return here for additional updates as information continues to become available.

[July 14,2022]

Update #9, 3:05pm PST

The team remains focused on finalizing the details of the plans, but it has taken longer than anticipated. They will be given to the community ASAP, once they are ready.

The strategies that we expect to present to the community must be reviewed by our partners and legal teams; we believe it is critical to the success of the path to have our partners on board with the plan.

The plan will propose multiple options to the approximate 50K wallets who were impacted. These potential strategies will then be put forward to a ommunity vote.

We expect these plans to be available in approximately two weeks, but can change depending upon the feedback from the legal team as well as partner feedback.

[July 1st, 2022]

Update #8: 5:21pm PST

The team is developing strategies with potential avenues to restore funds for as many bridge users as they can and will update the community about those strategies when available.

The work is not limited to this alone, but it is a priority to address users who were affected.

[June 29th, 2022]

Update #7: 7:01pm PST

The team reaffirmed the community that the global manhunt for the criminal(s) who stole the $100 million from the Horizon Bridge is underway. All exchanges have been notified, law enforcement as well as partners Chainalysis and AnChainAI are actively investigating individuals involved for recovery of stolen assets.

At this time, the Harmony team has offered one final opportunity for individuals involved to return the assets with anonymity. The final term is they retain $10 million and return the remaining amount, in addition to the team ceasing the investigation. The deadline for a response from the responsible party is Monday, July 4th at 23:00 GMT to initiate communication.

In addition to this, the team has announced a $10 million offering for information that leads to the return of stolen funds. The ETH address to return the funds to is 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac and information leading to the arrest can be e-mailed to the team at whitehat@harmony.one.

The transaction ID for the message sent to the culprit(s) is 0xa4eda32985503e91dd02c31222a5e53a6a40f55129ec86c716d6446a7186b426

[June 29th, 2022]

Update #6: 5:34pm PST

Team members are gathering wallet data and strategizing plans based on the impact that the incident has caused on users. While details of this plan are being ironed out, the team is unable to share additional information at this time.

Key members from the community have been engaged in conversations to ensure that the collective voice of the Harmony community is heard and that the sentiment is reflected in any strategy the team presents.

[June 28th, 2022]

Update #5: 5:08pm PST

The team announced that one of our highly reputable blockchain tracing and analysis partners is Chainalysis. We want to thank the Chainalysis team for their support and their work to resolve this situation.

We also want to remind our community and partners that we are working on various options for securing the cosystem. Both of these efforts are being conducted simultaneously and we thank everyone for their support and their patience in this matter.

[June 27th, 2022]

Update #4: 5:05pm PST

The team anounced that they were aware the hacker has begun moving funds through Tornado Cash. During this process, they have been working with two highly reputable blockchain tracing and analysis partners in addition to their collaborating with the FBI.

At this time, the team is exploring multiple options for users and partners as methods are explored to secure the ecosystem. Transparency is important in blockchain and we aim to be transparent with our community, but we ask the community to remain patient during this investigation and confidentiality at this time.

We will continue to update as we can, but we must protect sensitive information and not endanger the investigation. The desire to work with the hacker remains but we will continue the full investigation until resolution or the funds are returned.

[June 25th, 2022]

Update #3: 8:45pm PST

Harmony has committed to a $1 million bounty in exchange for the return of the funds. In addition, the team will advocate for no criminal charges when the funds are returned.

[June 25th, 2022]

Update #2: 8:25pm PST

Harmony Founder, Stephen Tse, updated the community regarding the current status of the investigation and provided some key insights since the start of the investigation of our Horizon bridge hack.

First and foremost, confidentiality is paramount to maintaining the integrity of this ongoing investigation. Specific details have been omitted to protect sensitive data in the interest of the community.

The incident response team has found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure.

Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.

The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets.

At this time, the team has mitigated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident and continues to enhance our operations and infrastructure security.

We want to remind our community that we are in the midst of an ongoing investigation and will continue to keep each and everyone one of you up-to-date as we can. Thank you for your support as the investigation continues.

Stephen’s update via Twitter at 8:15pm PST.

[June 24th, 2022]

Update #1: 10:15am PST

At 10:05am PST, the team announced that they have handed their findings to our US colleagues at 830am PST today. The team is comprised of members across 5 timezones and continues to their work at this time.

[June 23rd, 2022]

On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge. The estimated value at the time of the attack was approximately $100 million USD.

Immediately following the attack, multiple cyber security partners, exchange partners, and the FBI were notified and requested to assist with an investigation in identifying the culprit and methods to retrieve stolen assets. With those contacts established, Harmony announced the hack via Twitter (link below) with a description of what occurred and our next steps.

Further, the team has attempted communication with the hacker with an embedded message in a transaction to the culprit’s address (above) at approximately 5:30 PM PST.

A complete breakdown will be provided at the conclusion of this investigation.

Harmony believes that focusing on decentralized bridges is an essential step forward for Web3. This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us.

Ongoing investigations present a challenge of what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.

This article will be regularly updated with the latest information, and will be provided via our Twitter and other social platforms. The goal is to continue providing regular updates throughout this process to keep everyone informed.

We are working around the clock to ensure both the investigation and recovery of stolen funds are concluded in the most time efficient manner possible.

Updates will be provided at the top, to ensure readers are most of up to date on the progress of the investigation.

About Harmony

Build on Harmony, Bridge to All Chains.

Harmony is an open and fast blockchain. Our mainnet runs Ethereum applications with 2-second transaction finality and 100 times lower fees. Our secure bridges offer cross-chain transfers with Ethereum, Binance and 3 other chains.

Build on Harmony, bridge to all chains. We are an open platform for your assets, collectibles, identity and governance.

We 💙 Developers.

Telegram | Twitter | Discord | Youtube | Medium | Facebook | LinkedIn | Reddit | Instagram

--

--