The company informed about the incident to the authorities; the FBI investigated the cyber attack taking the help of many cyber security firms.
Harmony’s Horizon Bridge allows users to transfer their crypto assets from one blockchain to another. The company promptly blocked the bridge to stop further transactions and notified other exchanges.
The company also offers a $1 million bounty in exchange for the return of the funds.
The incident response team stated that it didn’t find any evidence of any breach of the company smart contract codes or vulnerabilities on the Horizon platform. Harmony sadi that the consensus layer of the Harmony blockchain remains secure.
“Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.” states the update published by the company. “The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets.”
The blockchain security firm CertiK published a detailed analysis of the incident, it confirmed that the threat actors were able to access the owners of Horizon’s multiSig wallets, and then stole the funds from Harmony.
“On June 23, 2022 at 11:06:46 AM +UTC, the bridge between Harmony chain and Ethereum experienced multiple exploits. Our expert analysis has identified twelve attack transactions and three attack addresses.” reads the analysis published by CertiK. “Across these transactions the attacker netted various tokens on the bridge including ETH, USDC, WBTC, USDT, DAI, BUSD, AAG, FXS, SUSHI, AAVE, WETH, and FRAX. The transactions vary in value but range from $49,178 to upwards of $41,200,000. The attacker accomplished this by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony, which led to a total loss around $97M worth of asset on the Harmony chain which the attacker has consolidated into one main address.”