Cross-chain bridges are continuing to prove themselves as DeFi’s weakest link.
On June 23, Harmony, a Layer 1 blockchain, said it identified an exploit worth roughly $100M targeting its Horizon bridge. The Harmony team has begun working with “national authorities and forensic specialists” to identify the hacker and attempt to retrieve the stolen funds. Harmony is based in California.
Harmony halted the operation of its Horizon bridge to stop users from losing more funds, and has notified centralized exchanges of the exploit to prevent the hacker from converting the stolen assets. It said its trustless BTC bridge has not been impacted as assets are stored in decentralized vaults.
Horizon’s bridge facilitates asset transfers between Harmony and the Ethereum and Binance Smart Chain networks. The hacker stole Ethereum, Wrapped Ether, Wrapped Bitcoin, Binance Coin, Aave, Sushi, Frax Share, and AAG, in addition to stablecoins Dai, Tether, USD Coin, Binance USD, and Frax.
Harmony ranks 33rd among smart contract chains by total value locked (TVL) with $70M, according to DeFi Llama.
MistTrack, a crypto tracking platform, tweeted that the hacker has already begun swapping some of the ERC-20 tokens for Ether using the Uniswap decentralized exchange. The perpetrator’s wallets currently hold nearly $98.9M worth of Ether, $1.16M worth of BNB, $777,800 in ERC-20 tokens, and $640,307 in BUSD.
The security of the Harmony bridge was called into question in April when Apedev, Chainstride Capital’s founder, tweeted that its security was entirely dependent on a two-of-four multi-signature wallet.
DeFi’s Largest Hacks
“This multisig isn’t verified on Etherscan, but the implementation seems to be on GitHub. It’s modified from an earlier Consensys multisig, but the modifications don’t seem to be obvious or made public… if two of the four multisig signers are compromised, we’re going to see another 9 figure hack,” they warned, noting the bridge then secured $330M in assets.
The price of Harmony’s native ONE token is down 12.9% in 24 hours, last changing hands for $0.023, according to CoinGecko.
Cross-chain bridges have persistently been the source of DeFi’s largest hacks. Bridges operate by holding assets that are ‘transferred’ from their native chain and providing users with a token for use on the destination chain, which is later destroyed to unlock the original asset when the user sends the funds back to their native chain.
Axie Infinity’s Ronin Bridge claimed the unfortunate accolade of facilitating the largest exploit in DeFi’s history when $615M was stolen from it in March. Ronin was similarly secured by a five-of-nine multi-signature wallet, with the attacker gaining control over four Ronin validators operated by Axie developer, Sky Mavis, and a third-party validator run by the Axie DAO.
The attack on Ronin beat out the $610M that was drained from the Poly Network bridge in August 2021. However, nearly all of the funds were later returned to Poly Network, with Chinese cyber security firm SlowMist revealing it had identified the hacker’s email address, IP address, and device fingerprint.