Harmony's $100 million hacker took control of its multi-signature wallet, analysts say

Quick Take

  • The Harmony blockchain suffered a $100 million theft on its Horizon bridge
  • Security analysts say the hacker first gained control of bridge’s multi-signature wallet.

On Thursday, Harmony, a proof-of-stake (PoS) blockchain, lost $100 million to a theft on its Ethereum-linked bridge. 

The anonymous hacker stole multiple assets, including ETH, BNB, USDT, USDC and DAI. These assets were previously bridged from Ethereum to the Harmony blockchain through the Horizon bridge.

In response, Harmony said it was working with law enforcement agencies and cyber security firms. Still, the team did not explain how the hack took place.

While the Harmony team has yet to provide an official post-mortem, security experts have offered some insights into the hack. According to Mudit Gupta, Polygon's chief information security officer, the perpetrator gained control of the multi-signature wallet used in deploying Harmony's bridge.

A multi-signature wallet is a smart contract account that is managed with several private keys, divided among multiple entities rather than a single person. Gupta found that the bridge's wallet's funds required a permission from at least two of the total five private keys, so the perpetrator may have extracted two private keys and gained control.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“The bridge was essentially a 2 of 5 multi-sig. If any 2 addresses told it to transfer funds to someone, it did,” Gupta said. "The hacker compromised 2 addresses and made them drain the money."

CertiK, a smart contract security firm, corroborated that the hacker did, in fact, target the bridge’s multi-signature wallet. In a Friday report, CertiK said: "The attacker accomplished this [exploit] by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony." 

This is a developing story. Harmony didn't immediately respond to a request for comment.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]