The company announced on its Twitter handle that it promised a sum of 1 million to anyone returning the 10 million worth of altcoins or sharing any information regarding the hacker. They have even promised not to share any information regarding the informant and as well as promised not to press any criminal charges if the funds are returned.
We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.
Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will advocate for no criminal charges when funds are returned.
June 26, 2022
So, what happened exactly?
On Thursday, June 23rd, The horizon bridge used by the company to allow users to transfer cryptocurrency between Ethereum, Binance Smart Chain, and Harmony was breached.
The hackers had stolen $1 billion in Wrapped Tether (USDT), USD Coin (USDC), AAVE, SUSHI, DAI, and WITH (WITH) before exchanging them for WETH.
According to Harmony’s blog post, the FBI, several cybersecurity partners, exchange partners, and others were contacted immediately after the assault and asked to help with an investigation aimed at locating the perpetrator and recovering stolen property. The blog post stated,
“Further, the team has attempted communication with the hacker by embedding a note in a transaction to the culprit’s address.”
The Aftermath:
Based on a note found within an Ethereum transaction readout, Elliptic claims that the Harmony team appears willing to speak with the entity responsible for the crime.
“The Harmony team is interested in communicating and negotiating. Please reach out to security@harmony.one to start a conversation. Communication can be anonymous.”
Following the hack, Harmony also ceased all Horizon bridge operations. As of this writing, the price of its native ONE token was $0.02445, which is 8.5% less than it was on Friday before the hack was detected.
According to a tweet, the Harmony team has discovered the hacker’s address and is collaborating with “national authorities and forensic specialists” to recover the AltCoins taken.
As early as April, one investor going by the name of Ape Dev expressed doubts about the security of the Horizon bridge.
The researcher cautioned on Twitter that a multisignature wallet, often known as a “multi-sig,” that only needed two signatures to start transactions was crucial to the security of the Horizon bridge. For added security on transactions, multi-sig wallets demand the agreement of many participants.
The hack may dispel community concerns about the validity of the two of four multisig that are supposed to protect the bridge. As only two of the four signatories were required to withdraw money, questions had already been raised about the security of Horizon’s multi-sig wallet on Ethereum (1).
