The Harmony protocol suffered a breach that resulted in the loss of about $100 million. The funds were drained from the Harmony bridge through an exploit that has been described as a traditional and not a blockchain hack by Mudit Gupta, a blockchain security expert.
Gupta said that this is why protocols should also focus on traditional as well as blockchain security
According to the information available to the public at the moment, the compromise was as a result of the access to the hacker to two hot wallets that are part of a 5 multi-sig key.
In its update about the hack, the Harmony protocol wrote:
“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
Hacker Compromised 2 Addresses
The Harmony team said that the hack would have no impact on the trustless BTC bridge since the funds are in decentralized vaults. They added that exchanges have been notified regarding the hack and that further transactions on the bridge have been stopped to forestall further withdrawals.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
According to Mudit Gupta, a developer and security expert with 0xPolygon, such breaches are possible because 2 addresses were compromised by the hacker, causing them to drain the funds in the bridge has access to. He said that a bridge enables 2 of the 5 multisig to perform the withdrawals.
“The bridge was essentially a 2 of 5 multisig. If any 2 addresses told it to transfer funds to someone, it did. The hacker compromised 2 addresses and made them drain the money.”
Access Through The Server
According to Gupta, the compromised addresses are likely hot wallets used for legitimate transactions. The hacker could have gained access by compromising the server the wallets were running on. He said that this is not different from how Ronin wallet was hacked weeks ago. Once in the server, the hacker could see the private keys stored in “plain texts” for legitimate transactions.
“The server exploit was likely either SSH key compromise or social engineering.”
He added that this is a traditional hack and not a blockchain hack. He added that this is one of the reasons why protocols should focus on traditional security as well as blockchain security.
In an earlier update on May 9, Gupta said that:
“The next big blockchain hack is not going to be a “blockchain hack”. Focus on traditional security and attack vectors as well, not just smart contract audits, anon.”