By Ryan Browne, CNBC
25th June 2022 – Hackers have stolen US$100 million in cryptocurrency from Horizon, a so-called blockchain bridge, in the latest major heist in the world of decentralised finance.
Details of the attack are still slim, but Harmony, the developers behind Horizon, said they identified the theft Wednesday morning. Harmony singled out an individual account it believes to be the culprit.
“We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” the start-up said in a tweet late Wednesday.
In a follow-up tweet, Harmony said it’s working with the Federal Bureau of Investigation and multiple cybersecurity firms to investigate the attack.
Blockchain bridges play a big role in the DeFi space, offering users a way of transferring their assets from one blockchain to another. In Horizon’s case, users can send tokens from the Ethereum network to Binance Smart Chain. Harmony said the attack did not affect a separate bridge for bitcoin.
Like other facets of DeFi, which aims to rebuild traditional financial services like loans and investments on the blockchain, bridges have become a prime target for hackers due to vulnerabilities in their underlying code.
Bridges “maintain large stores of liquidity,” making them a “tempting target for hackers,” according to Jess Symington, research lead at blockchain analysis firm Elliptic.
“In order for individuals to use bridges to move their funds, assets are locked on one blockchain and unlocked, or minted, on another,” Symington said. “As a result, these services hold large volumes of cryptoassets.”
Harmony has not revealed exactly how the funds were stolen. However, one investor had raised concerns about the security of its Horizon bridge as far back as April.
The security of the Horizon bridge hinged on a “multisig” wallet that required only two signatures to initiate transactions. Some researchers speculate the breach was the result of a “private key compromise,” where hackers obtained the password, or passwords, required to gain access to a crypto wallet.
Harmony was not immediately available for comment when contacted by CNBC.
It follows a series of notable attacks on other blockchain bridges. The Ronin Network, which supports crypto game Axie Infinity, lost more than $600 million in a security breach that took place in March. Wormhole, another popular bridge, lost over $320 million in a separate hack a month earlier.
The heist adds to a stream of negative news in crypto lately. Crypto lenders Celsius and Babel Finance put a freeze on withdrawals after a sharp drop in the value of their assets resulted in a liquidity crunch. Meanwhile, beleaguered crypto hedge fund Three Arrows Capital could be set to default on a $660 million loan from brokerage firm Voyager Digital.