Horizon Blockchain Bridge last victim of cryptocurrency hack, stole $ 100 million
US-based blockchain bridge Horizon, a service that connects Ethereum with the Harmony decentralized blockchain platform, is the latest project to fall victim to a crypto hack.
The blockchain bridge was hit for around 100 million dollars in cryptocurrency when the attackers potentially exploited a signature vulnerability that external security researchers had warned about on social media for several months. Harmony has not yet released any information about the actual cause of the breach, and the Horizon Bridge remains closed while the company rectifies the problem.
Blockchain bridge latest in a series of high-dollar attacks on Ethereum services
Harmony has several blockchain bridges to different types of currencies; the crypto hack seems to have only affected the bridge to Ethereum, and gives some faith in the theory that a proposed vulnerability is circulating on the Twitter page at least in early April was exploited.
While Harmony has not yet commented on exactly what caused the crypto hack, one June 23 tweet from the company captured a wallet address that the hackers apparently used to process the stolen funds (which consist of a number of different types of cryptocurrencies) and convert everything into Ethereum. An update from the company on June 27 indicated that the hackers moved the stolen funds through Tornado Cash to anonymize them, and that Harmony worked with the FBI and two external security companies in an investigation into the incident. The company has also offered a bounty of $ 1 million with a promise of no criminal charges if the funds are returned.
The Horizon blockchain bridge was closed on June 23 as part of this investigation and will remain down while it continues. The company publishes updates on the situation via Twitter.
The incident follows the biggest attack to date on a decentralized financial platform (and one of the largest total cryptocurrencies in history), the $ 600 million March theft from the popular NFT game Axie Infinity. There has been some trend of attacks on defi services over the past year, with a growing perception that they have lost security and are open to both code-based exploitation and social engineering approaches. An attack on the Wormhole Bridge in February resulted in $ 325 million in stolen funds; around $ 10 billion was stolen in crypto-hacks by defi platforms in 2021, and some analysts estimate that this number will increase by at least several billion by 2022 nearing its end.
Did the Horizon crypto hack come from a vulnerability identified on Twitter?
The potential bug in the blockchain bridge, articulated on Twitter by user “Ape Dev,” points out that the entire system relies on a wallet that authorizes transactions that have four owners. Two of the four signatories are all that is needed to authorize a transaction. The hackers may have compromised two of these accounts in a number of ways, such as obtaining private keys by breaking a hardware security module (HSM), or finding an exploit in the validation code. There is also always the possibility that it is an inside job, or that the credentials of two of the required signature accounts are found in a breach elsewhere.
Defi has generally become a popular target for crypto hacking due to a large number of security breaches, but blockchain bridges are of particular interest to attackers as they store significant amounts of cryptotoken liquidity to facilitate transfers of funds across chains. Attackers can apply directly to these funds and disappear quickly, as happened in this case.
The series of defi-crypto-hacking in recent months has shed light on basic security flaws throughout the business. These platforms are not subject to regulations, do not need to give users transparency about how funds and protocols are secured, and are not really adhered to strict security standards by anything other than the possibility of losing a large sum of money on a breach. Defy platforms that fall victim to a hack or scam are often reduced to offering a “bounty” of the kind that Harmony offers to recover the stolen funds, a strategy that has been shown to rarely work.
Harmony’s own ONE token fell 12% in the immediate aftermath of the news of the breach, and has continued on a slight downward trend since. The token had already struggled with the general cryptocurrency crash in recent months, currently down to $ 0.0228 from a peak value of 0.38 in early January.
Blockchain bridges will almost certainly remain popular targets for crypto hackers until, at a minimum, the industry switches to better standard reliable models and invites reputable third-party security audits. Nick Percoco, Chief Security Officer at Kraken, elaborates on what will be needed in the future if defi platforms are to shake up their reputation as a risky place to park funds and assets: a mindset with certainty first and remain alert. Criminals are constantly searching for new attack vectors and vulnerabilities, which means that security protocols must be invested in and updated consistently. We expect that the spotlight on this incident will focus the minds of cybersecurity teams across the blockchain ecosystem and will result in more robust protocols going forward. “
