HomeDeFi$100 million hack at Harmony due to compromised multisig scheme

$100 million hack at Harmony due to compromised multisig scheme

The root cause of the massive hack that stole $100 million from Harmony last Wednesday may have been discovered.

Harmony suffers a $100 million hack

Last Wednesday, Harmony, a layer 1 blockchain company launched in 2019 by Stephen Tse, suffered a $100 million theft due to a hack.

Harmony is aiming to solve the persistent “blockchain trilemma” by balancing scalability with security and decentralization.

In a tweet, the company disclosed this attack and that it is working with the FBI, relevant authorities, and cyber security companies to try to recover the funds stolen from the attack.

The following day, Polygon’s chief information security officer, Mudit Gupta, said the hacker would have exploited the ability to compromise the 2-in-5 multi-signature scheme on which the Harmony blockchain bridge is based.

Gupta explained:

β€œThe hacker compromised 2 addresses and made them drain the money. The two addresses were likely hot wallets used to listen for and process legit bridging transactions”.

Hacker steals $ 100 million from the Horizon bridge

How do bridges that enable cross-chain asset transfer work?

Blockchain bridges like Harmony have taken on an important role for decentralized finance, since they give users the ability to transfer their assets from one blockchain to another. In the specific case of Horizon, users can send tokens from the Ethereum network to Binance Smart Chain.Β 

Bridges are now a very tempting target for hackers because of the vulnerabilities in their underlying code and the large amount of liquidity they need to store.

The founder of the Harmony protocol wrote in a report on the affair that:

β€œThe team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge β€” Funds were stolen from the Ethereum side of the bridge. Confidentiality is key to maintain integrity as part of this ongoing investigation β€” The omission of specific details is to protect sensitive data in the interest of our community”.

In a subsequent tweet, the company offered a $1 million reward to anyone who offered news that would be helpful in recovering the amounts stolen by the hackers.

Harmony, which was launched through Binance Launchpad via an Initial Exchange Offer (IEO), grossed 23 million in May 2019, while three years after launch it has a total market capitalization of about $1.5 billion. Harmony’s native token is called ONE and is used for transaction fees, staking, and governance, allowing holders to participate in decisions about the future of the network.

Vincenzo Cacioppoli
Vincenzo Cacioppoli
Vincenzo was born in Genova but lived most of his life in Milan. He has a degree in political science. He is a journalist, blogger, writer, and marketing and digital advertising expert. After a long experience in traditional marketing, he started working with the web and digital advertising in 2011, creating a company called Le enfants. Passionate about the web and innovation, in 2018 he started exploring the topics related to blockchain technology and cryptocurrencies. Independent cryptocurrency trader since March 2018, he now collaborates with companies in the sector as a content marketing specialist. In his blog. mediateccando.blogspot.com, he has long been primarily focused on blockchain, which he considers to be the greatest technological innovation after the Internet. His first book about blockchain and fintech is scheduled for release in November.