A popular product on the Harmony Network was exploited for over $100 million worth of cryptocurrencies last night in what is one of the biggest crypto hacks in recent weeks.
“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM,” developers said in a tweet. “We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
What Harmony Network is saying
Harmony tweeted through its twitter account about the hack. They stated, “The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
“Note this does not impact the trustless BTC bridge; its funds and assets stored on decentralized vaults are safe at this time. We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands-on deck as investigations continue. We will keep everyone up to date as we investigate this further and obtain more information.”
What you should know
- The Horizon bridge allows users to exchange assets, such as tokens, stablecoins, and NFTs, between Ethereum, Binance Smart Chain (BSC), and Harmony blockchains.
- The mechanism of how the bridge worked allowed attackers to exploit the network. It worked as follows, as per developer documents; A set of smart contracts were deployed on both Ethereum, BSC, and Harmony blockchains. A pool of validators verifies when users lock liquidity on any of those networks.
- When a token lock action is detected on the Ethereum blockchain, the pool of validators validates it and relays the finalized information to the Harmony blockchain. After, the same amount of a bridged token is minted. On the opposite side, when a bridged token burn is detected on the Harmony blockchain, the pool of validators validates it and relays the finalized information to the Ethereum blockchain, where the same amount of the original token is unlocked.
The attacker has not so far move any funds to exchanges or privacy swap services like Tornado Cash at the time of writing, blockchain data shows.