Harmony Protocol, which lost $100 million in a bridge attack earlier this week, has announced a $1 million bounty for returning stolen funds and an explanation for the breach.
In addition, the company, which specializes in cross-chain bridges, announced that it would lobby for no criminal charges after the money is returned.
It supplied an email ([email protected]) and an Ethereum wallet (0xd6ddd996b2d5b7db22306654fd548ba2a58693ac) address for the attacker to get in touch.
It remains to be seen whether the hacker will accept the bounty, which is only 1% of the stolen funds. They hold $98 million of the stolen funds in an Ethereum wallet and about $1.79 million at a Binance Smart Chain address.
Harmony first reached out to the hacker on June 24, indicating that they were interested in negotiations, even if done anonymously.
Harmony exploit used compromised private keys
Harmony, a proof-of-stake blockchain, lost $100 million after hackers targeted the Horizon bridge used for transferring tokens between the Ethereum network and the Binance Smart Chain. The exploit used compromised private keys, according to security firm Peckshield.
Private information from two of four crypto wallets supporting the bridge was used to siphon $100 million in ether, Binance Coin, and three stablecoins, to an external wallet. According to forensics firm Elliptic, these were swapped for ether using a decentralized exchange.
A Twitter user going by the pseudonym @_apedev pointed out the vulnerability to Harmony in April.
Cross-chain bridge vulnerabilities
Blockchains have native tokens incompatible with other blockchains. For example, ether can only be used on the Ethereum blockchain, while bitcoin can be used on the Bitcoin network. Cross-chain bridges enable exchanges of tokens between different blockchains. However, they are complex, with software often developed by an anonymous team.
To use your currency of choice on the Bitcoin network involves using a bridge to convert your token to “wrapped bitcoin,” an alternative store of value on the target network similar to a voucher. Smart contracts handle the conversion.
The wrapped bitcoin is underwritten by actual bitcoins on the bridge, which become a target for hackers since it is often unclear how the funds on the bridge are protected.
Bridges were not needed in the early days of crypto circa 2009, as the Bitcoin network was the only blockchain. Fast forward 13 years later, and you have the explosion of decentralized finance demanding the chasm between blockchains be bridged.
To date, one of the largest bridge hacks saw over $600 million stolen from the Ronin bridge used by Sky Mavis for their play-to-earn game Axie Infinity in March. This hack, which resulted from a private key compromise, took the total loss from bridge hacks to $1 billion.
Harmony’s ONE token fell to a seven-day low on June 24, trading at $0.0236. It recovered slightly to $0.0244 at press time, according to Coingecko.
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.