An individual, group or groups of perpetrators began transferring Harmony’s Horizon Bridge’s assets on the Ethereum chain, starting on Jun-23-2022 11:06:46 AM +UTC, 14 bridged assets, including USDC, ETH and USDT on Ethereum, and also BNB on Binance Smart Chain, into a previously unrecognized account 0x0d04…d000. The perpetrator(s) compromised at least two out of four private keys of the bridge validators and gained control of the bridged assets, to then begin funneling the assets into a combination of new wallets (known as wallet hopping) and eventually into a mixer called Tornado Cash. Forensics teams are actively monitoring the activities of these wallets and the mixer.
Harmony had offered a $1M bounty to return the remaining stolen amount. The bounty was soon after increased to $10M but Harmony has not received a legitimate response to date. The global hunt continues with investigations passed on to the Federal Bureau of Investigation (FBI) with the cooperation of partners, including multinational cryptocurrency exchanges. We believe this was a coordinated attack targeting our internal infrastructure. There is no evidence to date that the bridge smart contracts, or the blockchain protocol, were compromised.
Decrypting the bridge keys would have required several operations from within a secure set of servers to generate keys on-the-fly performed on servers with privileged access (authorized roles). We believe the attacker(s) 1) employed a phishing schemes to trick at least one software developer to install malicious software on their laptop, that 2) enabled the attacker to either read chat threads to understand how to operate the bridge, and/or gain access to non-public bridge infrastructure code, plus 3) gaining backdoor access to one or more servers, to perform the hack. The perpetrator(s) were successfully able to do all three.
An attack inducing installation of trojan-horse software occurred as recently as June 17th. We are still investigating what this software is capable of. Meanwhile, we discovered a vulnerability on June 18th related to software packages included with our internal subgraph service. This leads to exposing all server addresses within a private cloud environment. This may have been potentially used to probe internal server addresses. The engineering team was in the process of addressing this vulnerability before the bridge hack on June 23rd. Post-hack, we discovered evidence that there were server logs with date and timestamps, hinting that the perpetrator began reviewing the Horizon Bridge implementations as early as June 2nd. This, in itself, is insufficient to compromise the bridge. The combination of all of the above demonstrates an orchestrated attack to perform the hack.
The Horizon Bridge has since been halted but not until approximately 64,000 wallets, with approximately 50,000 of them being bridged wallet owners, and the rest spread across the entire DeFi ecosystem, were affected. To regain trust from our community, Harmony also paused the unaffected Trustless Bitcoin bridge, reinforced it with an expanded key set, and swapped the multisig signers to be managed by a new set of keys. We have since released the Bitcoin bridge funds and have the owners reclaim their funds, effectively rendering the bridge offline, in order to secure user funds on this bridge. We plan to reconvene bridge activities at a later date.
Harmony has now set up a Security Operations team to lock down Cloud infrastructure to minimize any further compromise by reducing the attack surface. Access to any of the cloud services, including bridge nodes, were decoupled in an effort to preserve forensic evidence while maintaining minimal blockchain node operations for the Harmony blockchain. A focused Security Operations team is reviewing the practices around Cloud operations to review and rollout security best practices, such as the use of Single Sign-On with Multi Factor Authentication (MFA), use of VPN, clear separation of sensitive and insensitive data, full traceability of access, in all identifiable entry points, in order to minimize any potential attack vectors in the future. Some of these new security practices have been put in place to enable team members to continue their limited set of operations while the process continues over the next calendar quarter aimed to enforce measures to prevent any similar incidents from happening in the future.
We have engaged Chainalysis and Anchain for forensic analysis, are working with the FBI, and are tracking the hackers with the assistance of partners, including exchanges worldwide. As mentioned earlier, funds were funneled into the mixer, Tornado Cash. At the time of this writing, there are no movements to or from high-confidence withdrawal candidates from Tornado Cash.