There’s been another crypto hack in the triple-digit millions, and it’s another decentralized finance service. This time it’s the Horizon blockchain bridge, and the attackers exploited a vulnerability to get away with at least $100 million.
The Horizon blockchain bridge connects the Harmony platform with Ethereum. The bridge was closed for an extended period in the wake of the attack as the company investigated the incident; a theoretical signature vulnerability that was made public earlier this year may have been the door the crypto hackers used to get in.
DeFi continues to face serious security questions as another crypto hack steals millions
In April, a Twitter user pointed out a potential signature vulnerability that could be used to compromise the Horizon blockchain bridge. As with many other DeFi platforms, the system uses a “proof of stake” setup that in this case only requires two of four authorized accounts to sign off on a transaction to approve it. Compromising just two of these accounts, no matter how it might be done, would allow an attacker to drain the standing pool of liquidity that blockchain bridges must maintain to function.
DeFi is dangerous for exactly the same reason it is attractive: a total lack of regulation and government oversight. While they allow participants to break away from fiat currency systems, they also provide much less in the way of safety and guarantees of the security of funds. The only thing motivating DeFi platforms to invest in and keep on top of security is the fear of consequences for their own finances. In this case, that meant not just the loss of $100 million but also a 12% immediate drop in the value of Harmony’s ONE token (followed by a smaller but steady ongoing decline).
Blockchain bridges, and DeFi in general, struggle with the lack of the kind of “security first” perspective that is necessary in the modern threat landscape (particularly for platforms sitting on hundreds of millions, if not billions, of dollars). The Horizon crypto hack joins the likes of the breaches of Axie Infinity and Wormhole as a high-profile demonstration of the risks that traders are being forced to accept as a condition of use.
Ethereum blockchain bridges facing particular attention from hackers
Crypto hackers have a particular interest in hitting bridges that link to Ethereum, as it allows them to quickly get away with the funds and take them to a mixing service (such as Tornado Cash, which appears to be exactly what happened here) for a clean getaway. Even though a similar attack might have been used against them, Harmony’s blockchain bridges to other coin types were not compromised. The hackers seemed to know exactly what they wanted.
Harmony has said that it is working with the FBI and has offered a $1 million bounty if the thieves return the funds, but the attackers could be seen spending the last days of June mixing and absconding with the funds and are unlikely to be caught at this point. Harmony had been updating the situation on Twitter and in a Medium post, but nothing new has been posted since.
When efforts such as these fail, there is nothing left but for the blockchain bridge to raise money to replace the stolen funds and restore whatever public confidence it can. The timing is particularly important for Harmony as it opened June by announcing the development of a new NFT game similar to the ill-fated Axie Infinity.