Ethereum: it steals $98 million in one click – Harmony bridge collapses

One more – In cryptos, we do not take RTT, including for the less well-intentioned among us. Phishing, rugs and hacks continue, even in the midst of a bear market. This time, it is the Harmony (ONE) blockchain that is targeted. Hoping it doesn’t become the hit of the summer. Discovered overnight, this hack was announced and exposed by the team, which revealed the first elements it has.

A bridge targeted, are the shores safe?

the bridge is a solution that is becoming more and more widespread. Tool set up to make communicate blockchains between them (transferring funds from one to another). While interoperability was one of the keywords linked to the narrative of the previous cycle, bridges have become essential.

They make it possible to transfer funds (or rather their representation) to another blockchain. Different blockchains have different transaction security languages ​​and processes. This greatly complicates the merging of the two account registers listing the exchanges of each of the two blockchains. The bridge are therefore the solution to transfer the value linked to a token X from blockchain A to blockchain B.

Without going into technical details, the “entrances” of these bridges accommodate therefore very large sums of tokens. If the imported token is not native, it is placed in escrow at the entrance to the bridge. The importer is given a token (usable on the chain). This token represents the value of the imported token (not usable on the chain). That is why bridges attract attention malicious hackers. Solana paid the price at the timeclosely avoiding disaster…

We can sum it up like this: a tourist wants to spend the day in a amusement park-casino which is on an island. the only way to get there is a bridge. In addition, his tickets are not accepted on the island. He must therefore exchange them for the appropriate tokens to come in and have fun. Tokens that we will gladly exchange for him (1 ticket for 1 token) for the tickets when he leaves. The day is going well, until the moment of get out of the casino with his winnings (or his losses). Reception warns him that there is not enough cash left in the cash register to honor the 1 for 1 exchange.

All resemblances between the amusement park-casino on an island and the roller coaster of DeFi is (almost) totally fortuitous.

>> Play it safe, register on FTX the reference of crypto exchanges (affiliate link) <<

Bridge Horizon Hack – A $100 Million Hit

The Harmony Protocol team last night identified a flaw in its bridge to Ethereum, Horizon.

Tweet from Harmony explaining the hack she suffered
Tweet from Harmony Protocol – Source: Twitter

After the revelation of the theft of $100 million, Harmony’s Twitter account shared the fraudulent address. We then notice that it took place from Harmony to Ethereum. The protocol then specifies that the BTC bridge <=> ONE (trustless, unlike that of ETH) is not affected by this hack. Indeed, the latter is not trustless because of the presence of a controlling multisig wallet on the bridge.

They also reported the bridge jacking to the various exchanges so that they block any transaction passing through the identified wallet (thanks to Etherscan).

Investigators 3.0 also on the bridge

If the team has not yet given concrete explanations on the progress of the hack, some Internet users have started to gather elements. The Bridge Horizon is not managed exclusively by smart contract. The latter can be revoked by a multisignature wallet which, on its own, can alter the code.

This is where the hacker struck (to deepen on the subject of mutlisig with the Polygon example).

Rugdoc.eth explains that the thief was able to change the numbers of signatures to carry out his hack
Tweet from Rugdoc.io – Source Twitter

Rugdoc.io indeed reports that the thief has succeeded in changing the number of signatures needed to edit the code. Once the rules are changed to his advantage, he has all the permissions to siphon off the deck of his precious ETH. These Ethers belong to “tourists passing through the casino”.

Etherscan indicates that the wallet has thus drained some 85,860 ETH ($98 million at current price). the wallet in question is now clearly identified as the “Horizon Bridge Exploiter”.

The weaknesses related to this multisig management guarantor of the ETH bridge had been identified a few weeks ago by an Internet user who dug the documentation and the architecture of this one. A publication without much echo or reaction… until today.

Tweet from Ape dev explaining that the exploited flaw had been reported, the hack could have been avoided.
Tweet by Ape Dev – Source: Twitter

Although the contours of the theft are beginning to become clearer, the extent of the damage has not yet been fully clarified. L’harmony team ensures to be on the bridge to seal the breach and stop the bleeding. Case to follow.

Stay away from spammers and scammers of all stripes, avoid too-good-to-be-true offers like the plague, and get into the habit of showing healthy suspicion. On the other hand, also learn to place reasonable trust in respectable and recognized players in the ecosystem. The FTX platform falls without a shadow of a doubt into this second category. Come acquire and trade your first bitcoins and other cryptocurrencies by registering on FTX. You will benefit from a lifetime discount on your transaction fees (affiliate link).

Leave a Comment