Back

100 Million Dollar Stolen — Harmony Horizon Bridge Hacked

The Ethereum bridge on Harmony ONE was hacked on the 23rd of June, the hacker has stolen over 100 million dollars.

by Percy Bolmér, July 5, 2022

One important aspect of a successful blockchain network is having a Bridge. If you don’t know what a bridge is, it is a way to have your assets from one blockchain network appear on another blockchain network.

Imagine that you have 1 Ethereum, but you want to use the Harmony network. You can then “bridge” that 1 Ethereum and receive the equivalent 1ETH token on Harmony. You now have a token that has the same value as Ethereum, this is possible because the token can be swapped back to Ethereum on the Ethereum blockchain at a 1:1 rate. This is a very common practice used by different blockchains to make it easier to transfer your funds between them.

On the 23rd of June, the Harmony Horizon bridge got hacked. The Horizon bridge held all real Ethereum, USDC, DAI, and a few other tokens.

The tweet that Harmony let out announcing that the hack has taken place

The hacker managed to get access to the Bridge, even though the bridge was secured by a MultiSig wallet. He proceeded with moving all the real tokens to his own wallet, which can be located at 0x0d043128146654c7683fbf30ac98d7b2285ded00.

If you visit the wallet now, a few days later you will see that there is no money left, he has managed to launder away all the money using Tornado.

Since the hacker stole all the tokens with real value, the users on harmony were left with 1eth or 1usdc that could not be swapped back for their true native tokens. Since the bridge no longer had the backing Ethereum for instance, the users can not switch their 1eth back to Ethereum. This causes the price of the bridged tokens to Depeg.

Depegging is the term used to explain that a token value is no longer holding the real value. For instance, you can buy 1usdc for 0.13$ today, but it should be worth 1$.

How Did The Hacker Pull It Off?

The Horizon bridge was using Multisig, which means you need multiple signatures to perform any transactions. However, the multi-sig was configured badly, and the hacker only needed to get access to 2 signatures to proceed with the hack.

Investors are very upset, especially since the risk of using 2 signatures had been raised to the team months ago.

How the hacker obtained the two keys has not yet been confirmed. The Harmony team has however stated on Twitter that it is most likely Social engineering at play.

Many users on discord seem to think that an inside job is highly likely.

What Happens With Harmony Now?

Harmony gave the hacker until yesterday (the 4th of July) to return the funds with a 10 million bounty, however, the hacker has instead stolen the whole 100%.

Harmony is working with authorities to locate the Hacker, but nobody believes that the funds will be recovered. br Harmony has mentioned that they are looking at options on how to restore the value (repeg) of the tokens, one option could be an Angel investor or Venture capitalist to step in with the 100 million.

This has happened before, the last hack on Avalanche for a 600M value was rescued by an investor stepping in with the money.

Harmony seems to be in lockdown, there are very low communications coming out to the investors, and many validators have started to unstake their ONE. The network is experiencing a very high amount of arbing bots, which forced Harmony to further increase gas prices.

Most projects have come up with an escape plan to other blockchains, and some have already moved their liquidity. Some people claim that Harmony is done for, others think it will come out stronger on the other side.

As always in Crypto, it is impossible to tell. I’ve seen people buying a ton of 1usdc, hoping that it will repeg, making them 9x their money.

I think Harmony will take devastating blows. There was already a small number of projects available, and seeing them flee is not good. However, I believe the chain will survive and am performing bounties for them still.