The Horizon bridge to the Harmony blockchain has lost $100 million worth of altcoins to a malicious actor. Harmony announced today morning via Twitter.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Following a brief investigation, the Harmony team pinpointed the attacker’s Ethereum address. After compromising the Horizon bridge, the attacker transferred different tokens to their wallet, with the first transfer coming a little over 20 hours ago.
According to Harmony, this exploit did not impact the trustless Bitcoin (BTC) bridge. The protocol claims this bridge’s funds are stored in decentralized vaults.
Hacker is Yet to Move the Funds
The hacker stole various tokens, including Tether (USDT), USD Coin (USDC), Binance USD (BUSD), Aave (AAVE), wrapped Ethereum (wETH), and wrapped Bitcoin (wBTC), among others. Soon afterward, the attacker started swapping the tokens for Ethereum (ETH) and transferred the coins to the original address.
According to data from Etherscan, the address currently holds 85,867.25 ETH worth $99,135,461.20. Additionally, the address contains 990 AAVE worth at the time of writing. Thus far, the attacker is yet to move funds to any exchanges or privacy swap services.
The Harmony team added,
We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands on deck as investigations continue. We will keep everyone up-to-date as we investigate this further and obtain more information.
A Case of Poor Security Practices?
This attack comes after Ape Dev, the founder of MEV Monke, voiced concerns over the security of the Harmony protocol.
Ape Dev said,
So all in all, if two of the four multisig signers are compromised, we’re going to see another 9 figure hack. Considering all that’s been going on lately, it’d be interesting to hear some details from @harmonyprotocol on how these EOAs are secured.
Following the hack, Harmony’s native token, ONE, plunged more than 10% and is currently trading at $0.024.