Horizon Bridge Exploit: Explained
After Wormhole and Ronin, Horizon Bridge falls in 2022.
This year has seen a lot of crypto hacks starting with Wormhole, followed by the Ronin Bridge attack. Now Horizon Bridge of Harmony Protocol has suffered a similar attack where the hackers have started to move over $36 million from the $100 million stolen to the TornadoCash, a coin mixing service.
What are Bridges?
Blockchains are designed to work in isolation from the rest of the internet and other blockchains. This isolation restricts the users from moving funds across blockchains and taking advantage of innovation happening on other blockchains. For instance, someone holding Bitcoin will not be able to utilize the Defi offerings that are being developed on Ethereum, Solana, and other Blockchains.
Bridges come as a solution to this problem where they facilitate the moving of funds across blockchains. When transferring tokens from Bitcoin to Ethereum, a bridge can be designed to lock the token on Bitcoin Blockchain and mint a new one on Ethereum Blockchain with an equivalent value of Bitcoin called wBTC. Users can redeem Bitcoins by returning the minted tokens (wBTC) to the bridge.
Horizon Bridge Hack
Horizon Bridge was designed to move funds between Harmony Protocol and Ethereum Blockchain.
This is a trustless bridge operated using smart contracts to manage the transfer of tokens between these blockchains. A 2 out of 5 multi-sig was used to authorize transactions on the bridge, where a minimum of 2 out of 5 authorized signatories needed to sign the transactions for successful transfer.
The attack vector that allowed the hacker to take control of these addresses is not public yet. However, some have speculated that the private keys were kept in plaintext. By gaining access to 2 of the 5 private keys the hackers were able to drain $100 million worth of ETH, BUSD, and other tokens from the bridge.
Some attribute this hack to the Lazarus Group from North Korea which had previously hacked the Ronin Bridge of Axie Infinity and stole over $625 million.
Since the hack has come to light Harmony team has migrated the Horizon bridge to a 4 out of 5 multi-sig. Harmony team has committed a bounty of $1 million for returning the stolen funds and not taking legal action.
Final Notes
Exploits such as Horizon Bridge have occurred due to a lack of traditional security practices followed by the Blockchains. Recent hacks have shown that traditional security practices are a must to build blockchain projects that hold billions of dollars every day. Security in Blockchains is a key concern that needs to be addressed on priority to safeguard the funds of users.