The proof-of-stake (PoS) blockchain Harmony Protocol tweeted an offer of a $1 million reward for information regarding the Thursday hack of its Ethereum-linked Horizon bridge, which resulted in the loss of $100 million in cryptocurrency.
“We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information. Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will advocate for no criminal charges when funds are returned.”
The incident report shared by Harmony protocol
Stephen Tse, the CEO, and founder of Harmony Protocol stated on Twitter that Harmony blockchain’s consensus layer was safe there is no indication that the Horizon platform is vulnerable.
“Incident response has found no evidence of smart contract code breach. No evidence of any vulnerability on the Horizon platform was found. Our consensus layer of the Harmony blockchain remains secure.”
Security professionals on Friday provided some insights into the intrusion while the Harmony team was still conducting their probe. Using two likely compromised private addresses, the attacker took control of a multi-signature wallet used to deploy Harmony’s bridge, claims Polygon’s chief information security officer Mudit Gupta, and drained the cash.
According to Tse, his team has discovered proof that private keys were compromised, which resulted in the breach of the Horizon bridge.
“The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge. Funds were stolen from the Ethereum side of the bridge.”
He further stated that “Private keys were stored encrypted by Harmony. These keys were doubly encrypted using a passphrase and a key management service. No single machine had access to multiple plaintext keys. The system was designed to avoid persistent storage of plaintext secrets at rest.”
As per Tse, the attackers accessed and decrypted some of these stored keys and made transactions. All the stolen assets were swapped to Ethereum and stored in the wallet of the perpetrators.
“The attacker was able to access and decrypt a number of these keys, some of which were used to sign the unauthorized transactions. Stolen assets include BUSD, USDC, ETH, and WBTC.”
Steps taken to strengthen the bridge
Tse also said that they have updated the multisig and made it 4/5. Earlier it was 2/5.
“We have migrated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident.”
He added that Harmony would “continue taking steps to tighten our operations and infrastructure security further” while the inquiry was continuing.