Harmony Developers Offer $1 Million Bounty in Exchange for $100 Million Lost in Hack

Harmony Network developers said late Saturday they would pay a $1 million bounty for the return of the $100 million they lost to a hacker on Thursday.

“We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information,” they wrote in a message on Twitter. “Harmony will advocate for no criminal charges when funds are returned.”

Founder and CEO Stephen Tse expanded on the situation in a series of tweets earlier in the evening, seeking to reassure users that the protocol was secure in the aftermath of the breach and confirming that it was the result of a social-engineering attack. “Confidentiality is key to maintain integrity as part of this ongoing investigation,” Tse wrote. “The omission of specific details is to protect sensitive data in the interest of our community. Incident response has found no evidence of smart contract code breach. No evidence of any vulnerability on the Horizon platform was found. Our consensus layer of the Harmony blockchain remains secure.

RELATED: Harmony Network Loses $100 Million to Hackers; Says FBI is Investigating

“The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge,” he added. “Funds were stolen from the Ethereum side of the bridge. Private keys were stored encrypted by Harmony. These keys were doubly encrypted using a passphrase and a key management service. No single machine had access to multiple plaintext keys. The system was designed to avoid persistent storage of plaintext secrets at rest.”

The project lost $100 million in wrapped Ethereum (WETH), wrapped bitcoin (WBTC), AAVE, SUSHI, DAI, Tether (USDT), and USD Coin (USDC) on Thursday to a hacker who breached the project’s Horizon bridge, making it the third-largest crypto hack this year. Polygon’s chief security officer, Mudit Gupta, said Friday the attack was “eerily” similar to the March hack of Axie Infinity’s Ronin Bridge which was conducted by a group linked to the North Korean regime. That attack, which was the largest this year, resulted in the loss of about $600 million, which has not been recovered.

If the perpetrator was an individual working alone, it is unlikely they will be able to access the funds without being discovered by authorities. The Poly Network successfully won the return of nearly $600 million taken by a hacker last year after their metadata leaked, including their email and IP address. That perpetrator slowly returned the funds over a multi-week period as developers coaxed them along, publicly praising him as “Mr. Whitehat” in addition to offering him a $500,000 bounty and a job as their chief security officer.

Writing on Saturday about the Harmony hack, Tse noted, “All stolen assets were swapped to ETH and currently reside on the hacker’s accounts on the Ethereum network. The hacker has not taken steps to anonymize ownership of these assets.”

RELATED: GameFi Players Decline Just 5% in May; DeFi Kingdoms, Axie Infinity Post the Biggest Drops

Harmony stands to see its losses grow beyond the $100 million stolen in the breach. The incident prompted the network’s users to dump their stablecoins, leading them to de-peg and causing hundreds of millions of dollars in losses for those who continued holding them. The chaos also provoked projects — including Evoverses and Cosmic Universe — to announce over the weekend that they would be moving their products to Aavalanche (AVAX). But they have not announced whether they will retain a presence on Harmony or completely cut ties, a decision that could be influenced by developers’ ability to reclaim the missing $100 million.

As of Sunday, Harmony held a market capitalization of $293 million, a little more than 10 percent lower compared to a week earlier, when it stood at $330 million. Tse, a former engineer for companies including Google and Apple, launched the project in 2017.

  • bitcoinBitcoin (BTC) $ 30,585.00
  • ethereumEthereum (ETH) $ 1,920.03
  • tetherTether (USDT) $ 1.00
  • bnbBNB (BNB) $ 246.29
  • xrpXRP (XRP) $ 0.473472
  • cardanoCardano (ADA) $ 0.288054
  • dogecoinDogecoin (DOGE) $ 0.068067
  • solanaSolana (SOL) $ 18.35
  • polkadotPolkadot (DOT) $ 5.27
  • matic-networkPolygon (MATIC) $ 0.668704
  • avalanche-2Avalanche (AVAX) $ 12.92
  • chainlinkChainlink (LINK) $ 6.36
  • moneroMonero (XMR) $ 167.81
  • crypto-com-chainCronos (CRO) $ 0.056814
  • aaveAave (AAVE) $ 67.17
  • algorandAlgorand (ALGO) $ 0.123240
  • tezosTezos (XTZ) $ 0.812640
  • axie-infinityAxie Infinity (AXS) $ 6.38
  • golemGolem (GLM) $ 0.187465
  • zelcashFlux (FLUX) $ 0.455396
  • chain-2Onyxcoin (XCN) $ 0.001183