Breaking: Harmony's Horizon Bridge gets $100 million stolen by hackers

Horizon Bridge to Harmony’s layer-1 blockchain has been stolen with $100 million worth of altcoins being exchanged for ethereum (ETH).

The hack may have justified previous community concerns about the robustness of two of the four multisigs reportedly securing the bridge.

From 7:08am ET to 7:26am ET, 11 transactions took place on the bridge for various tokens. They have since started sending tokens to another wallet to exchange for ETH on the Uniswap decentralized exchange (DEX), and then sending ETH back to the original wallet.

1/ The Harmony team discovered a theft of approximately $100 million this morning on the Horizon Bridge. We have begun working with "national authorities and forensic experts" to identify the culprits and recover the stolen funds.

More

— Harmony (@harmonyprotocol) June 23, 2022

So far, Frax (Frax), Wrapped Ether (WETH). Aave (Aave), Sushi (Sushi), Frax Share (FXS), AAG (AAG), Binance USD (BUSD). Dai (Dai), Tether (USDT), Wrapped BTC (WBTC), and USD Coin (USDC) were stolen from the bridge through the vulnerability.

Horizon Bridge facilitates token transfers between Harmony and the Ethereum network, Binance Chain, and Bitcoin. Harmony, the bridge's operator, announced on June 23 that the bridge had been taken out of service. It said the BTC bridge and its assets were not affected by the attack.

The Harmony team also said it was working with "national authorities and forensic experts" to determine who was responsible. Parsing will definitely follow.

Harmony developer and co-founder Nick White did not respond to a request for comment. Harmony is a layer 1 blockchain that uses proof-of-stake consensus. Its native token is ONE.

Concerns have previously been raised about the robustness of Horizon's multi-signature wallet on ethereum, which requires only two of the four signers to withdraw funds. The founder of Chainstride Capital’s cryptocurrency-focused venture fund Ape Dev noted on Twitter on April 2 that the low number of required signers would leave the bridge open for “another 9-figure hacker.”

Ape Dev's prediction appears to have come true, as the bridge is now $100 million down in assets.

He is far from the only crypto developer who has doubts about the security of token bridges.

Vitalik Buterin discussed the issue of token bridges in a Reddit thread from January this year. He hypothesizes that when a bridge is exploited, it threatens liquidity on each affected chain. He added that as the number of token bridges grows, the threat of a 51% attack on one chain could pose a greater risk of contagion to other chains.

Since his prediction, Meter’s Token Bridge, Axie Infinity’s Ronin Bridge, and Wormhole Bridge have each seen nearly $1 billion stolen.

Multi-signatures are an ongoing security concern in attacks. The Ronin Bridge is secured by nine validators, only five of which are required to validate transactions. The attackers took control of the five required validators and withdrew over $600 million in assets.

The market does not appear to have reacted to the attack yet, as there have been no major price changes for all the coins and tokens involved. However, ONE is down 7.4% in the past 24 hours, with most of the decline occurring in the past 5 hours. According to CoinGecko, it is trading at $0.024.