coindesk.com
A popular product on the Harmony network was exploited for over $100 million worth of cryptocurrencies last night in what is one of the biggest crypto hacks in recent weeks.
"The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM," developers said in a tweet. "We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds."
The Horizon bridge allowed users to exchange assets, such as tokens, stablecoins, and NFTs, between ethereum, Binance Smart Chain (BSC), and Harmony blockchains.
Harmony said in a separate tweet that the exploit did not impact its bitcoin bridge and that funds and assets stored on decentralized vaults were "safe at this time."
The mechanism of how the bridge worked allowed attackers to exploit the network. It worked as follows, as per developer documents: A set of smart contracts were deployed on both Ethereum, BSC, and Harmony blockchains. A pool of validators verifies when users lock liquidity on any of those networks.
When a token lock action is detected on the Ethereum blockchain, the pool of validators validates it and relays the finalized information to the Harmony blockchain: here, the same amount of a bridged token is minted. On the opposite side, when a bridged token burn is detected on the Harmony blockchain, the pool of validators validates it and relays the finalized information to the Ethereum blockchain, where the same amount of the original token is unlocked.
The attacker did not move any funds to exchanges or privacy swap services like Tornado Cash at the time of writing, blockchain data shows.
Meanwhile, Harmony developers said they had notified exchanges and stopped the Horizon bridge to prevent further transactions. "The team is all hands on deck as investigations continue," they added. Harmony did not return requests for comment at writing time.