Harmony's $100 million hacker took control of its multi-signature wallet, analysts say

Quick Take

  • The Harmony blockchain suffered a $100 million theft on its Horizon bridge
  • Security analysts say the hacker first gained control of bridge’s multi-signature wallet.

On Thursday, Harmony, a proof-of-stake (PoS) blockchain, lost $100 million to a theft on its Ethereum-linked bridge. 

The anonymous hacker stole multiple assets, including ETH, BNB, USDT, USDC and DAI. These assets were previously bridged from Ethereum to the Harmony blockchain through the Horizon bridge.

In response, Harmony said it was working with law enforcement agencies and cyber security firms. Still, the team did not explain how the hack took place.

While the Harmony team has yet to provide an official post-mortem, security experts have offered some insights into the hack. According to Mudit Gupta, Polygon's chief information security officer, the perpetrator gained control of the multi-signature wallet used in deploying Harmony's bridge.

A multi-signature wallet is a smart contract account that is managed with several private keys, divided among multiple entities rather than a single person. Gupta found that the bridge's wallet's funds required a permission from at least two of the total five private keys, so the perpetrator may have extracted two private keys and gained control.

“The bridge was essentially a 2 of 5 multi-sig. If any 2 addresses told it to transfer funds to someone, it did,” Gupta said. "The hacker compromised 2 addresses and made them drain the money."

CertiK, a smart contract security firm, corroborated that the hacker did, in fact, target the bridge’s multi-signature wallet. In a Friday report, CertiK said: "The attacker accomplished this [exploit] by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony." 

This is a developing story. Harmony didn't immediately respond to a request for comment.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.