FBI investigating $100 million theft from blockchain company Harmony

Blockchain company Harmony said $100 million in cryptocurrency was stolen from the platform on Thursday evening. The company said the FBI is now investigating the theft alongside several cybersecurity firms. 

A cross-chain bridge – also known as a blockchain bridge – allows people to transfer tokens, assets, smart contract instructions and data between blockchains. They have become a ripe target for hackers in recent months and exploits in bridges have led to millions of dollars in losses. 

Harmony – which helps people send cryptocurrency, stablecoins and NFTs between different blockchains like Ethereum and Binance Smart Chain – has notified other exchanges and stopped the Horizon bridge to prevent further transactions.

1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.

More

— Harmony (@harmonyprotocol) June 23, 2022

In a series of Tweets, the company said it is working with government agencies and specialists to find the people behind the attack and get the stolen funds back. The hackers stole about 85,837.252 Ethereum in the attack.

“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands on deck as investigations continue,” the company said. 

Blockchain security company PeckShield told The Record that right now, it seems like the attackers were able to compromise private keys that gave them the ability to validate fraudulent transactions. 

The Harmony bridge is “managed by a 2-out-of-4 multisig,” PeckShield said, allowing the attackers to control funds held on the protocol through access to the private keys. 

Another blockchain security company, CertiK, confirmed that once the attackers were able to access the owners of Horizon’s multiSig wallets, they began draining vast amounts of altcoins from Harmony.

Experts are still unsure of how hackers managed to gain control of the MultiSig Wallets, but CertiK criticized Harmony for having a system that only required two signatures to validate transactions.

“Horizon’s system of only requiring two out of four signatures has raised concerns in the past. Having only two signatures required to access such privileged controls is a glaring security vulnerability, and naturally makes an enticing target for a hacker,” CertiK said. 

“In this way the attack bears some similarity to the Ronin Bridge hack in March of this year, where a hacker drained $600 Million after they gained control of the nodes required to validate withdrawals.”

Harmony was previously exploited in January and experts have long warned that the company's system was vulnerable to these kinds of attacks. One expert specifically mentioned the idea that if two of the four multisig signers were compromised, there would be "another 9 figure hack."

Are the private keys on HSMs? How do the validators work? Has the validator code been audited (the PeckShield audit of the bridge didn't seem to include the validators, which are a key component of the system)?

— Ape Dev (@_apedev) April 1, 2022

Blockchain bridge attacks have become increasingly common over the last year. In addition to the Ronin Bridge hack in March, a hacker abused a vulnerability in the Wormhole cryptocurrency platform in February to steal an estimated $322 million worth of Ether currency. 

A week before the Wormhole hack, a similar attack took place against another blockchain bridge when a hacker stole $80 million from Qubit Finance.

“The fact that we are again seeing such huge losses from attacks on cross-chain bridges is a reminder both of the huge demand for this kind of infrastructure in web3, but also of their severe and persistent security vulnerabilities,” CertiK CEO Ronghui Gu told The Record.

“Solving the problems with cross-chain bridges is vital to ensuring a secure web3 ecosystem moving forward.”