Harmony Protocol’s Multi-Sig Wallet Compromised in $100 Million Heist

The Harmony blockchain’s Horizon cross-chain bridge has been hacked, resulting in the theft of  approximately US$100 million worth of assets.

The Harmony team says it has identified the hacker’s wallet and is now working closely with security partners, forensic specialists and law enforcement to recover the lost assets.

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.

More 🧵

— Harmony 💙 (@harmonyprotocol) June 23, 2022

During the attack – which occurred on the morning of June 23, US time – the hacker was able to steal a variety of assets including BUSD, USDC, ETH and wBTC, which have all since been swapped for ETH and remain in the hacker’s accounts on the Ethereum blockchain.

Hack Exploited Multi-Sig Wallet

According to Harmony founder and CEO Stephen Tse, the hack on Horizon bridge wasn’t due to vulnerabilities in the smart contract code. In a statement released in the days following the attack, Tse said the attacker somehow compromised several of the private keys used to sign transactions on the multi-signature wallet that controls the assets stored in the bridge:

The incident response team has found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure.

Stephen Tse, founder and CEO, Harmony

Tse added: “Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.” 

Before this hack, the multi-sig wallet controlling assets in the Horizon bridge required only two of four private keys to sign a transaction, making it highly vulnerable to attack. Since the attack, Tse has tweeted saying that the multi-sig wallet has been hardened to require four of five private keys to sign any transactions:

7/ We have migrated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident. We will continue taking steps to further harden our operations and infrastructure security.

— stephen tse 💙 s.one 🌉 stse.eth (@stse) June 26, 2022

Harmony Offers Reward, Won’t Pursue Legal Action

In the aftermath of the hack, the Harmony team tweeted an offer of a US$1 million bounty for the return of the stolen funds and said it would advocate for no criminal charges if and when the funds are returned:

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.

Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony will advocate for no criminal charges when funds are returned.

— Harmony 💙 (@harmonyprotocol) June 26, 2022

This is a relatively common tactic used by crypto projects to incentivise hackers to return lost assets, and while it sometimes works it’s not a widely supported tactic as it is seen by some as rewarding criminal behaviour:

In a perfect world…

This person would be put in jail and funds returned.

In a fair world…

This person would be put in jail and funds returned.

In America…

Steal 100m. Give 100m back. Receive 1m for being nice and giving stolen monies back. Do not go to jail. Like wtf.

— Bullbearsaur (@Bullbearsaur) June 26, 2022

Cross-Chain Bridges Vulnerable

Cross-chain bridges like Horizon provide interoperability between various blockchains, allowing users to swap tokens between the chains and easily take advantage of different applications and services on various chains, however they aren’t without risk.

One of the primary risks of cross-chain bridges is that their assets are often held in highly centralised multi-sig wallets controlled by a small number of individuals. This centralisation of enormous quantities of crypto assets makes them very attractive targets for hackers. Already this year, several cross-chain bridges – including Axie Infinity’s Ronin bridge and Solana’s Wormhole bridge – have been hacked for a combined total of close to US$1 billion.

Despite this recent spate of hacks on cross-chain bridges, DeFi remains by far the crypto sector most vulnerable to exploits. A recent report from blockchain analytics firm Chainalysis found that since the start of 2020, 97 percent of crypto hacks have targeted DeFi applications. Just weeks ago, the decentralised exchange Osmosis was forced offline after a US$5 million hack was identified by a Reddit user.