A popular product on the Harmony network was exploited for over $100 million in cryptocurrencies in what is one of the biggest crypto hacks in recent weeks.
- "The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM," the network's developers said in a tweet. "We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds."
- The Federal Bureau of Investigation (FBI), the domestic intelligence and legal enforcement agency of the U.S., and cybersecurity firms have joined the search for the attacker, Harmony said in a subsequent tweet.
- Harmony's native ONE token slumped on news of the exploit, taking its decline in the past 24 hours to more than 12%. This was despite the broader market seeing a recovery, with bitcoin nearing the $21,000 mark.
- The attack adds to this year's litany of exploits targeting bridges, which allow users to move tokens between blockchains, taking the total lost to more than $1 billion in 2022 alone. Among the biggest, in February, Wormhole bridge suffered a $326 million hack, and in April Ronin was exploited for $625 million.
- Harmony said in a separate tweet that the exploit did not impact its bitcoin bridge and that funds and assets stored on decentralized vaults were "safe at this time."
- The mechanism of how the bridge worked allowed attackers to exploit the network. It worked as follows, as per developer documents: A set of smart contracts were deployed on Ethereum, BSC and Harmony blockchains. A pool of validators verifies when users lock liquidity on any of those networks.
- When a token lock action is detected on the Ethereum blockchain, the pool of validators validates it and relays the finalized information to the Harmony blockchain, where a matching amount of a bridged token is minted. On the opposite side, when a bridged token burn is detected on the Harmony blockchain, the pool of validators validates it and relays the finalized information to the Ethereum blockchain, where the same amount of the original token is unlocked.
- The attacker did not move any funds to exchanges or privacy swap services, such as Tornado Cash, at the time of writing, blockchain data shows.
- Meanwhile, Harmony developers said they had notified exchanges and stopped the Horizon bridge to prevent further transactions. "The team is all hands on deck as investigations continue," they added. Harmony did not return requests for comment at writing time.
UPDATE (June 24, 10:09 UTC): Adds FBI involvement, ONE token performance in headline, text; adds bullet on previous bridge hacks this year.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.