Hackers Stole $100M From Harmony Horizon Bridge, $78M AAG Token Set To Be Recovered
In the recent hack of $100 million that happened to Harmony, AGG which is a metaverse software company owned $84 million of its AAG tokens which were worth $705,931 out of the $100 million that was stolen by the hacker.
The Horizon Bridge, which facilitates token transfers between Harmony and the Ethereum network, Binance Chain and Bitcoin, was targeted by hackers. They conducted a series of eleven transactions that siphoned off various altcoins.
The tokens were then sent to a different wallet, from which they were swapped for Ether (ETH) on the Uniswap decentralized exchange (DEX). Around $100 million worth of funds were stolen through altcoins like Frax (FRAX), Wrapped Ether (wETH), Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC), and USD Coin (USDC).
The bridge has been temporarily closed to prevent further losses. Developers of the project have also noted that this issue does not affect the BTC bridge.
Harmony published the exploiter’s Ethereum address and disclosed that the trustless BTC bridge was not impacted. In a separate Tweet, they called for a joint effort to build more trustless bridges which would provide higher security.
Team Discloses Initial Info
The team has also identified the wallet, which was responsible for swapping the stolen tokens for ETH, and has disclosed the address on Twitter.
They also announced that necessary actions have been taken to prevent further transactions by notifying exchanges and pausing the Horizon bridge.
The team also announced that it is closely working with national authorities and forensic specialists to identify the culprits behind the hack and will soon disclose a post-mortem report.
This exploit is the latest in a series of attacks that have affected the crypto space. Some of these include the Axie Infinity drain and the Solana Wormhole exploit. Hackers also patched a vulnerability known as the Demonic attack before it could cause any damage.
Due to the nature of the attack, various exchanges have been notified, and forensic specialists have been dispatched to assist in identifying the attacker. However, finding the attacker’s identity can be very challenging, depending on where he is located.
How AAG Set To Recover Its Losses
AAG made a tweet that Lossless DeFi has come to their rescue. Lossless DeFi which launched its protocol on Harmony a few days ago has helped AAG freeze $78 million out of the $84 million AAG token that was stolen through the hack. The value of the AAG token at the time of writing was $0.0084.
Alarm Given in Advance
Concerns have been raised about the soundness of Horizon’s multi-sig wallet on Ethereum. It only required two out of its four signees to transfer the funds. A founder of a cryptocurrency-focused venture capital firm, Chainstride Capital, noted on Twitter that the low number of signers for the bridge would allow for another 9-figure hack.
Also, Mudit Gupta, a security researcher and CISO of Polygon, revealed that the Horizon Bridge was using a multi-signature mechanism to reach consensus. Out of the 5 signatures, if any 2 agreed on a transaction, it would go through. The exploiter compromised 2 signatures and was able to drain $100M.
The bridge’s assets have dropped by $100 million following a prediction by developer Ape Dev. He is not the only one concerned about the security of cryptocurrencies. In January, Vitalik Buterin, a well-known developer, discussed the issue of token bridges in a Reddit post.
He noted that the exploitation of bridges could threaten the liquidity of the various chains. As the number of bridges continues to increase, he warned that the potential for 51% attacks on one chain could increase.
Since his prediction, the Token Bridge, Axie Inifinity’s Ronin Bridge, and the Wormhole Bridge have been successfully exploited for over $1 billion.
Due to the nature of multi-sig, it is considered a security issue that hackers can exploit in attacks. In the case of the Ronin Bridge, only five of its nine signers were required to validate a transaction.
The attacker was able to steal over $600 million in assets. It is not clear if the attacker got the idea from Dev or if he was able to reach the same conclusion independently.
However, given the warning several months before the attack, the developers of the Harmony platform should have had time to secure their systems.
Due to the increasing number of cyberattacks on cryptocurrencies, third-party scrutiny of the security standards of blockchain-based platforms is likely to become more frequent.
Bottom line
Just as the popular crypto YouTuber named "guy" who owned the 'Coin Bureau channel' has predicted last year that in 2022 would be more reports of crypto hacks.
The rate of crypto hacks is alarming and if there is no solution to fence off the hackers, this may just be the start of crypto hacks.
Against this backdrop, there is an increasing demand for smart contract auditors and security experts.