The Horizon Bridge cross-chain bridge on the Harmony blockchain has been exploited. An investigation is underway.
On the evening of June 23, the Horizon Bridge cross-chain protocol was attacked, resulting in the theft of about $100 million in assets, as reported by representatives of the Harmony network, on which the Horizon Bridge operates. According to them, the investigation has already begun, involving government agencies and forensic experts. The cross-chain bridge has been temporarily halted.
The Horizon Bridge provided asset transfers between Harmony, Ethereum, BNB Chain and Bitcoin. Representatives assured that the bridge between Harmony and Bitcoin was unaffected, and there was no clarification about the other bridges. Hackers managed to steal Frax (FRAX), Wrapped Ether (WETH), Aave (AAVE), Sushi (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (WBTC) and USD Coin (USDC). All of them were exchanged for ETH on the decentralized exchange Uniswap.
Harmony is a layer-1 blockchain. Its token ONE has already reacted to the hack with a 10% drop, reported CoinMarketCap as of 11:30 a.m. (GMT+3). The network runs on Proof-of-Stake, with only two of the four signees needed to validate a transaction. In early April, doubts about the reliability of this system were expressed by Ape Dev, Founder of the venture fund Chainstride Capital.
Similar concerns were voiced on Reddit in January this year by Vitalik Buterin, Head of Ethereum, highlighting the vulnerability of cross-chain protocols with multi-signatures to 51% attacks. Since then, there have been three major hacks of this type, excluding that of today:
- The Meter Passport protocol lost $4.4 million due to the attack;
- The Wormhole cross-chain bridge was hacked for $321 million;
- The Ronin sidechain lost $612 million as a result of the hack.
Hence, since the beginning of the year, the amount of damages caused by hacking of cross-chain protocols exceeded $1 billion. Almost all stolen money is exchanged into ETH, which are laundered via Ethereum mixer Tornado Cash.