Don't miss CoinDesk's Consensus 2022, the must-attend crypto & blockchain festival experience of the year in Austin, TX this June 9-12.
A popular product on the Harmony network was exploited for over $100 million in cryptocurrencies in what is one of the biggest crypto hacks in recent weeks.
"The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM," the network's developers said in a tweet. "We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds."
The Federal Bureau of Investigation (FBI), the domestic intelligence and legal enforcement agency of the U.S., and cybersecurity firms have joined the search for the attacker, Harmony said in a subsequent tweet.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
Harmony's native ONE token slumped on news of the exploit, taking its decline in the past 24 hours to more than 12%. This was despite the broader market seeing a recovery, with bitcoin nearing the $21,000 mark.
The attack adds to this year's litany of exploits targeting bridges, which allow users to move tokens between blockchains, taking the total lost to more than $1 billion in 2022 alone. Among the biggest, in February, Wormhole bridge suffered a $326 million hack, and in April Ronin was exploited for $625 million.
Harmony said in a separate tweet that the exploit did not impact its bitcoin bridge and that funds and assets stored on decentralized vaults were "safe at this time."
The mechanism of how the bridge worked allowed attackers to exploit the network. It worked as follows, as per developer documents: A set of smart contracts were deployed on Ethereum, BSC and Harmony blockchains. A pool of validators verifies when users lock liquidity on any of those networks.
When a token lock action is detected on the Ethereum blockchain, the pool of validators validates it and relays the finalized information to the Harmony blockchain, where a matching amount of a bridged token is minted. On the opposite side, when a bridged token burn is detected on the Harmony blockchain, the pool of validators validates it and relays the finalized information to the Ethereum blockchain, where the same amount of the original token is unlocked.
The attacker did not move any funds to exchanges or privacy swap services, such as Tornado Cash, at the time of writing, blockchain data shows.
Meanwhile, Harmony developers said they had notified exchanges and stopped the Horizon bridge to prevent further transactions. "The team is all hands on deck as investigations continue," they added. Harmony did not return requests for comment at writing time.
UPDATE (June 24, 10:09 UTC): Adds FBI involvement, ONE token performance in headline, text; adds bullet on previous bridge hacks this year.