The Horizon Bridge to the Harmony layer-1 blockchain has been exploited for $100 million in altcoins which are being swapped for Ether (ETH).
The hack may vindicate previously raised community concerns about the robustness of the two of four multisig that reportedly secures the bridge.
Starting at about 7:08 am until 7:26 am ET, 11 transactions were made from the bridge for various tokens. They have since begun sending tokens to a different wallet to swap for ETH on the Uniswap decentralized exchange (DEX), then sending the ETH back to the original wallet.
So far, Frax (FRAX), Wrapped Ether (WITH). Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (DAI), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) has been stolen from the bridge through this exploit.
The Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin.
Harmony, the operator of the bridge, announced late on June 23 that the bridge has been halted. It said the attack did not affect the BTC bridge and its assets.
The Harmony team also said it was working with “national authorities and forensic specialists” to determine who is responsible. A post-mortem is sure to follow.
The developers and the co-founder of Harmony Nick White did not respond to requests for comment. Harmony is a layer-1 blockchain using proof-of-stake consensus. Its native token is ONE.
Concerns have previously been expressed as to the soundness of Horizon’s multi-sig wallet on Ethereum which only required two out of the four signees to drain the funds.
Ape Dev’s prediction appears to have become a reality as the bridge is now down $100 million in assets. A founder of Chainstride Capital crypto-focused venture fund Ape Dev noted on Twitter on April 2 that the low number of required signers would leave the bridge open for “another 9-figure hack.”
Vitalik Buterin discussed the issues with token bridges in a Reddit post this January. He posited that when bridges get exploited, it threatens the liquidity of each chain affected.
He added that as the amount of token bridges increases, the threat of a 51% attack on one chain could present a greater contagion risk to others.
Since his prediction, Meter’s token bridge, Axie Inifinity’s Ronin Bridge and the Wormhole Bridge were each exploited for nearly a combined $1 billion.
Multisigs is an ongoing security issue in attacks. The Ronin Bridge was secured by nine validators, only five of which were required to verify a transaction.
The attacker took control of the required five validators and extracted over $600 million in assets.
The market does not yet appear to have responded to the attack as the prices of all the coins and tokens in question have not made a significant move.
However, ONE has dropped 7.4% over the past 24 hours, with most of the fall coming in the past 5 hours. It is trading at $0.024 according to CoinGecko.- Cointelegraph