More than $100m in cryptocurrency stolen from blockchain biz
'A humbling and unfortunate reminder' that monsters lurk under bridges
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
A similar attack in February on a bridge called Wormhole resulted in a loss of $320 million. That was followed a month later by the heist of about $620 million from video game Axie Infinity's Ronin Network, another bridge service.
"Blockchain bridges are the latest target and weak point of crypto attackers," observed Chris Wysopal, a security researcher and CTO of Veracode, via Twitter. "In software security, vulnerabilities often occur in the complexity of two different systems interfacing with each other."
Matthew Barrett, who contributes to project and appears to have taken on a communications role for Mountain View, California-based Harmony but isn't listed on the organization's team webpage, described the incident in a post to Medium.
Barrett said in the wake of the attack, Harmony's security and exchange partners were notified, as was the FBI, in the hope the culprit and a way to recover the funds, still sitting unlaundered in a visible crypto wallet, can be identified.
"Harmony believes that focusing on decentralized bridges is an essential step forward for Web3," said Barrett. "This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us."
The Horizon bridge was audited by Peck Shield, a blockchain security firm, in October 21, 2020. The report identified five issues with the bridge's smart contract implementation: two high severity, two low severity, and one informational, all of which are said to have been fixed. The audit includes a disclaimer noting that the findings do not guarantee the non-existence of other security concerns.
An individual involved in cryptocurrency trading raised questions in a Twitter thread about the Horizon bridge back in April and noted that the audit didn't assess some aspects of the system. This person speculates that that the hack was likely accomplished through a server/key compromise or social engineering.
Harmony has not yet identified how the attack was carried out.
- Cybercriminals made $7bn in pure profit in 2021, says FBI
- Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first
- Capital One: Convicted techie got in via 'misconfigured' AWS buckets
- Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
Matthew Green, a cryptography professor at Johns Hopkins University, expressed concern that the poor security of decentralized finance ventures amounts to a slush fund for hostile nations.
"It’s increasingly obvious that there are attackers (including state-sponsored attackers) making lists of vulnerable 'web3' services, ordered by target value and system vulnerability," he said via Twitter. "And they are working systematically down those lists."
"Who is systematically defending this area to keep North Korea from collecting $100s of millions to use in its missile program?" he asked.
The Lazarus Group, a cybercrime gang associated with North Korea's Reconnaissance General Bureau, was sanctioned for involvement with the Ronin Network theft.
The Grift Counter, a running total cryptocurrency losses since 2021 maintained by Web3IsGoingGreat.com, has now surpassed $10 billion. ®