Blockchain bridges have become a prime target for hackers seeking to exploit vulnerabilities in the world of decentralized finance.
The Harmony blockchain platform team reported an attack on the Horizon cross chain bridge in which an attacker stole about $100 million in assets.
Horizon is a cross chain bridge between the Harmony blockchain and the Bitcoin, Ethereum, and Binance Chain networks.
Harmony representatives have suspended Horizon. They also said they launched an investigation with law enforcement, including the FBI, and notified cryptocurrency exchanges about the situation.
The team assured that the incident did not affect the trustless bridge for Bitcoin – all funds are safe in decentralized vaults.
Certik analysts reported that the attacker managed “somehow” to gain control of the MultiSigWallet. This allowed him to transfer a large number of tokens from the bridge to Harmony.
Amid the hack, the Harmony ($ONE) token crashed down 9.4% overnight. As of this writing, its value is about $0.024, according to Coingecko.
Project Harmony emerged in May 2019 as part of the IEO on Binance Launchpad. It is a Layer 2 blockchain that maintains a consensus between scalability and decentralization. Harmony uses its own bridges (cross chains) to work with different blockchains. Such protocols have just begun to develop, so they are often targeted by hackers.
In April of this year, the founder of Chainstride Capital, known as @_apedev, already pointed out Horizon Bridge vulnerabilities. He conducted research and found that security is provided by a multisignature wallet that has four owners. However, only two people need signatures to perform an arbitrary transaction.
Multi-signature wallets for bridge management remain the weak link of crypto-protocols because they do not require the signatures of all owners to make a transaction.
Bridges “maintain large stores of liquidity,” making them a “tempting target for hackers,” according to Jess Symington, research lead at blockchain analysis firm Elliptic.
“In order for individuals to use bridges to move their funds, assets are locked on one blockchain and unlocked, or minted, on another,” Symington said. “As a result, these services hold large volumes of crypto assets.”
Recall that in February, hackers withdrew more than $319 million from the Solana-based Wormhole cross chain bridge pool and stole about $4.3 million in bitcoin and Ethereum from DeFi-Company Meter.
In March, an attacker stole about $625 million worth of crypto-assets in an attack on the Ronin sidechain.
Ethereum founder Vitalik Buterin previously said he was “pessimistic” about cross chain bridges. In his opinion, the latter are vulnerable to 51% attacks.