Harmony blockchain was the victim of a $100 million fraud on its Horizon bridge. Security analysts believe the hacker was the first to gain control of bridge’s multi-signature wallet.
Harmony, a proof of-stake (PoS), blockchain lost $100,000,000 due to theft from its Ethereum-linked bridge.
An anonymous hacker stole many assets including ETH and BNB as well as USDT, USDC, USDT and DAI. These assets were previously connected via the Horizon bridge from Ethereum to Harmony blockchain.
Harmony responded by saying it was working with cyber security firms and law enforcement agencies. The team didn’t explain how the hack occurred.
Although the Harmony team has not yet provided an official post-mortem report, security experts have provided some insight into the hack. Mudit Gusta, Polygon’s chief information security officer said that the hacker gained access to the multisignature wallet used for deploying Harmony’s bridge.
Multi-signature wallets are smart contract accounts that have multiple private keys. They can be managed by several entities and not just one person. Gupta discovered that at least two of five private keys were required to access the bridge’s funds. The perpetrator might have taken two keys and gained control.
“The bridge was basically a 2 of 5 multisig. It would transfer funds to anyone it was told to by 2 addresses,” Gupta stated. “The hacker compromised two addresses and made the money disappear.”
CertiK is a smart contract security company that confirmed that the hacker actually targeted the bridge’s multisignature wallet. CertiK stated in a report on Friday that the attacker had “exploited” the MultiSigWallet owner to call confirmTransaction() to directly transfer large amounts tokens from the bridge.
