Harmony attack brings total lost to crypto bridge hacks past US$1 billion in 2022
Thieves targeting a popular product on the Harmony network spirited away US$100 million in the latest attack on a crypto bridge, exposing a key vulnerability.
Horizon bridge — the bridge between the Harmony network and Ethereum, Binance Chain and Bitcoin — was exploited recently, netting US$100 million for the attackers.
This isn't the first attack on a crypto bridge this year. Axie Infinity's Ronin bridge lost US$625 million, while the Wormhole bridge lost US$326 million.
That's a total of US$1 billion stolen from blockchain bridges this year alone, exposing a key vulnerability to crypto networks.
What happened to Harmony
The Horizon bridge was attacked via compromised private keys, despite the keys being doubly encrypted via passphrase and key management service with no single machine having access to multiple plaintext keys.
The attackers accessed and decrypted a number of these keys, including keys used to sign transactions. Utilising those keys, the attacker took BUSB, USDC, ETH and WBTC tokens, and then swapped them to Ether (ETH), moving large amounts to the Tornado Cash mixer a few days later.
Tornado Cash is a privacy service where users can send tokens from one wallet, wait for the service to "mix" the tokens, and then withdraw their funds to another wallet address, removing any connection to the attacker's wallet that sent the funds to the mixer in the first place.
Harmony offered US$1 million to attacker
Harmony stopped the Horizon bridge to prevent further losses and the team continued to enhance operations and infrastructure security. But they couldn't retrieve the lost funds.
The Harmony team offered US$1 million to the hacker and promised via a tweet that "Harmony will advocate for no criminal charges when funds are returned."
The offered amount may not be enough to convince the attackers as they have already moved funds into mixing services to hide any tracks.
Axie Infinity, Wormhole suffered similar attacks
Popular play-2-earn game Axie Infinity was also exploited earlier this year by attackers who got access to private keys. In that case, the keys were used to trick validator nodes, which approve transactions.
Sky Mavis, the company behind Axie Infinity, has ruled out technical vulnerabilities and blamed the weakness on a phishing scheme.
The communications bridge Wormhole also lost out in a US$325 million theft blamed on a security flaw. Wormhole's breach resulted from an update to the project's GitHub repository, which revealed a fix to a bug that had not been deployed yet.
What does this mean for the crypto space?
Blockchain bridges are critical infrastructure in the cryptocurrency ecosystem that connects multiple blockchains. Security is critical for expanding that ecosystem.
Developers behind blockchain bridges say they are already pushing toward better security through rigorous code audits and by offering higher rewards for finding and closing bugs.
Over time, experts say, the safest bridges will be used as a template for others to build upon, which could make blockchain bridge hacks a rarity. For now, though, the risk remains.
Trying to get a handle on the markets? Cut through the noise with our overview of the best cryptos to buy right now, explore some strategies for how to trade crypto or see if there's a better platform for you with our guide to the best crypto exchanges.
Disclaimer: Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.
Kliment Dukovski owns cryptocurrencies as of the publishing date.
