HThe ackers looted around $100 million from a so-called cryptocurrency bridge, again exposing a key vulnerability in the digital asset ecosystem.
Blockchain Harmony said in a Tweeter that the hack of its Horizon Bridge, which allows people to exchange coins between different blockchains, took place on Thursday morning. He “began working with national authorities and forensic specialists to identify the culprit and recover the stolen funds”.
Most of the crypto world is divided into silos: Bitcoin and Ethereum networks, for example, can only work with Bitcoin and Ethereum tokens. As more cryptocurrencies are adopted and merchants demand the ability to seamlessly interact with each other, projects like Harmony are developing platforms known as bridges that can accept a variety of tokens and move them seamlessly between blockchains.
Read more: The Man Behind Ethereum Is Worried About Crypto’s Future
But bridges are particularly vulnerable to hacks because their technology is complex and they are often run by anonymous teams. How they protect the funds is often unclear. Sophisticated hackers have repeatedly targeted them.
Harmony’s native ONE token, used to pay transaction fees, earn rewards or vote on platform changes, has fallen 12% in the past 24 hours, according to CoinGecko. The underlying Harmony blockchain has a total project-related value of over $1 billion, according to its website.
It was not immediately clear if any user funds had been stolen.
“Private Key Compromise”
The attack on Horizon, which offers cross-chain transfers between Ethereum and Binance’s Smart Chain, marks the third major bridge hack this year. In February, hackers stole over $300 million from the Wormhole Bridge, followed by a $620 million theft from the Ronin Bridge a month later.
Even before the Horizon hack, more than $1 billion had been stolen from bridges, researcher Chainalysis estimated.
In Horizon’s case, “the theft appears to have occurred due to private key compromise,” said Xuxian Jiang, chief executive of security firm PeckShield, which was contacted by Harmony for help. assistance. Harmony did not immediately respond to requests for comment.
The Horizon Bridge is managed and secured by four wallets, Jiang said, and authentication from at least two of the wallets, each supported by multiple signatures, is required to validate and execute a transaction. On this occasion, an attacker was able to compromise the private information needed to access these wallets and then trigger transactions that removed assets from the Horizon Bridge to an external wallet, Jiang said.
Hackers got away with cryptocurrencies including Ether and BNB, as well as Tether, USDC and DAI stablecoins, researcher Elliptic said in a Tweeter. These tokens were then exchanged for Ether using so-called decentralized exchanges in what Elliptic called “a common technique with these hacks.”
Horizon uses a security mechanism similar to that used by the Ronin Bridge, tied to the popular blockchain game Axie Infinity, which required five out of nine validators to be required to log out at the time it was hacked. Harmony is popular for blockchain games like Mars Colony and DeFi Kingdoms, according to its website.
After the Ronin attack, which was attributed to a North Korean hacker group, Sky owner Mavis sharply increased the number of validators required to sign transactions, pledging to eventually increase it to over 100.
Read more: Bitcoin arrives on your 401(k). But your employer probably won’t let you invest in it
Thursday’s attack on the Horizon Bridge follows an exploit tied to five user wallets on Harmony’s network in January, in which the company said a thief siphoned off 19,314,598 ONE tokens, from worth about $5.8 million at the time.
The amount of money locked on bridges connected to the Ethereum blockchain has fallen by 60% in the past 30 days to less than $12 billion, per Dune tracker, triggered by a broader crypto market crash and liquidity issues surrounding several major crypto players, including Celsius Network, Babel Finance, Three Arrows Capital and Voyager Digital.
(Updates to add context from the third paragraph and throughout)
-With the help of Suvashree Ghosh and Tanzeel Akhtar.
More Must-Try Stories from TIME