A security developer’s prediction that the Harmony Network would be hacked made the rounds over the weekend after it was breached in the precise manner that he described.
“Since the current narrative du-jour is bridges & bridge hacks, I wanted to do some digging on the Harmony bridge on Ethereum, which secures ~$330m worth of tokens,” the pseudonymous developer, “ApeDev,” wrote in an April 1 post on Twitter. “The security of the bridge is currently predicated on a [multi-signature] wallet. …. It has four owners, two of which are required to consent in order to execute an arbitrary transaction (i.e. drain the $330m).
ApeDev — whose profile picture displays a monkey using a computer — founded a company called Chainstride Capital, which provides services including marketing and engineering assistance to cryptocurrency projects. He used more technical language to expand his description of the flaw, and also alluded to the nine-figure hack of Axie Infinity’s Ronin bridge in March, which resulted in the loss of around $600 million.
RELATED: Harmony Network Loses $100 Million to Hackers; Says FBI is Investigating
“This multi-sig isn’t verified on Etherscan, but the implementation seems to be on GitHub,” he noted. “It’s modified from an earlier Consensys multisig, but the modifications don’t seem to be obvious or made public. So all in all, if two of the four multisig signers are compromised, we’re going to see another 9 figure hack. Considering all that’s been going on lately, it’d be interesting to hear some details from @HarmonyProtocol on how these EOAs are secured. Are the private keys on HSMs? How do the validators work? Has the validator code been audited (the PeckShield audit of the bridge didn’t seem to include the validators, which are a key component of the system)?”
Harmony developers did not publicly address ApeDev’s concerns. The project’s team announced on Thursday that $100 million had been lost to a hacker who used social engineering to obtain the two keys necessary to drain the funds from its Horizon bridge. Founder Stephen Tse said Saturday his team had increased the number of keys needed to compromise the network to four in the aftermath of the attack, adding, “We will continue taking steps to further harden our operations and infrastructure security,” Tse wrote.
RELATED: GameFi Players Decline Just 5% in May; DeFi Kingdoms, Axie Infinity Post the Biggest Drops
The breach of Axie Infinity’s Ronin bridge resulted in the single largest loss of funds in a cryptocurrency hack this year and was traced to the Lazarus Group, a hacking outfit tied to the North Korean regime. As with the Harmony breach, attackers were able to pull off the heist by obtaining using social engineering to obtain two keys necessary to drain funds from the bridge. Axie Infinity developer Sky Mavis said this week that it would reimburse victims of that incident using capital obtained in an investment round from firms including Binance, Animoca Brands, 16z, Dialectic, Paradigm, and Accel. The company said it planned to relaunch the bridge on June 28.
It is not clear that Harmony will be able to offer similar compensation. The project held just $10 million in cash on hand prior to the attack, along with a stash of its native cryptocurrency, ONE, likely to be valued at less than $100 million. At least two big projects — Cosmic Universe and EvoVerses — announced plans to leave the network as a result of the attack.
Harmony developers said Saturday they were offering a $1 million bounty for the return of the stolen funds.