The Hacking of Harmony’s Horizon Bridge

On 24 June 2022, Harmony announced on Twitter that they have been made victims of theft amounting to 100 million USD. The professional hackers exploited Harmony’s blockchain bridge — by successfully entering the system and transferring funds illegally to other fraudulent or private wallets within a short period of time. It was reported that the hackers’ attack vector and high velocity of structured payments to a mixer were similar to previous attacks executed by attackers linked to the DPRK. Despite Harmony offering a 1 million USD bounty (equivalent to 1% of the stolen amount) initially, the hackers have laundered the funds by transferring them to the privacy mixer service Tornado Cash.

Earlier this year, similar attacks have occurred including a 600 million USD hack on Axie Infinity’s Ronin sidechain, followed by a 325 million USD attack on Solana’s Wormhole. Such attacks have built a significant barrier to building trust in crypto. These cases demonstrate how blockchain bridges can be exceptionally vulnerable to attacks and highlight the pressing concern of enhancing the security of DeFi protocols.

Brief Introduction to Harmony and their Vulnerabilities
As an element contained within Binance Launchpad’s initial exchange offering, a decentralised blockchain platform named Harmony was released in May 2019. It was formulated to act as a bridge between scaling and decentralisation efforts, accompanied by guarantees of low expenses and latency. First, they prioritise removing structural barriers that were preventing cryptocurrencies from becoming credible digital currencies. In addition, they intend to boost transaction throughput, which should distinguish Harmony from other blockchain systems like Ethereum and others that are obliged to give up on other features, simply to increase speed. Finally, they desire a rapid and resource-efficient consensus procedure.

As an aid to achieving their goals, Harmony has innovated a blockchain bridge or cross-chain bridge which permits users to move assets from one chain to another. Simultaneously, the blockchain bridge would facilitate communication between multiple blockchains. Through the bridge, users can transfer assets across Harmony’s Horizon bridge, which includes tokens or stablecoins inclusive of Ethereum, Binance coins or Bitcoin. Nevertheless, Harmony’s Horizon bridge was not protected in the most effective manner and had some vulnerabilities.

From the earlier part of 2022, observers and researchers had already warned the company that they had several points of weaknesses. For instance, an investor named Ape Dev forewarned others that the security of the Horizon bridge depended on a multi-signature wallet or “multisig” wallet, which only needed two signatures to conduct transactions. This was not the optimal number of signatures since higher transaction security calls for the approval of more parties. It has been speculated that the hack occurred in the following manner:

Therefore, the beginning of the problem is likely to have stemmed from Harmony’s lack of proper measures to ensure security, as it is too easy to access the system. The hack is mostly attributed to either social engineering or a compromise of Secure Shell (SSH) keys.

Effects from the Hack
The hack has cost Harmony and their users a significant amount of funds or assets. However, the consequences span beyond the matter. Those affected by the hacking would be emotionally distressed as the sum is not minor. Current users may not wish to continue utilising the platform, and it may convince potential users to go to another platform, as there is a loss of trust in the reliability and security offered by Harmony. These ill sentiments could potentially affect Harmony’s operations and standing as an organisation.

It is possible for the situation to marginally improve if the hackers are willing to return the stolen assets. Regardless, Harmony should put in place more stringent regulations into place to show that they are serious about safeguarding their users.

Subsequent Measures to be Undertaken
As they are now aware of such shortcomings, Harmony and other cross-chain bridges should work to establish a more dependable and secure environment in the future. First, their multisig wallet should demand for more validators in order to authorise a transaction. In order for a transaction to be processed, multi-factor authentication may also be used.

Alternatively, Harmony and other blockchain bridges could also be more wary of the users that they onboard and screen each potential user more thoroughly. Through that, they could gauge the risks posed by each individual and have more information if the individual breaches a rule.