Blockchain network, Harmony Protocol, has reported a security breach leading to the loss of approximately $100 million. Hackers exploited a vulnerability to steal 85,837 ETH (appr. $100 million) from Harmony’s Horizon Bridge.
The root cause of the vulnerability is Harmony’s multi-signature structure for approving transactions. Harmony utilized a 2-5 multi-sig wallet where only two signatures were required to approve transfers from the bridge. Two such addresses were compromised, allowing the hacker to siphon funds from the bridge.
Meanwhile, the project reports that it has started collaborating with authorities to identify the bad actor and potentially recover stolen funds.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
The stolen funds are still being held at the identified hackers’ address at the time of writing. The Horizon bridge hack is the third-largest blockchain bridge hack this year, trailing the $625 million Ronin Network incident, and Wormhole’s $300 million exploit.
Harmony Protocol Hacked
The Horizen bridge is a cross-chain protocol that allows users to move funds from Ethereum and BNB Chain to the layer-1 Harmony One network. Users can use bridged assets to interact with decentralized applications on the network.
According to DeFilLama, $77 million is locked in Harmony-based DeFi apps, a significant decline from the $1.4 billion reported at the time of its peak in January. This decline, however, has not prevented most on-chain protocols on the network from seeing a notable drop in total value locked in the aftermath of the latest hack.
Meanwhile, Harmony One’s native token ($ONE) has also seen a mild 5% decline since the hack reveal. The asset’s price dropped from a daily high of $0.027 to around $0.025 at the time of writing. Harmony ($ONE) has a market capitalization of nearly $300 million.
Update: This article has been updated to include information about the root cause of the exploit.