Near $100 million stolen: Analysis of the Horizon Cross-Chain Bridge Attack | Tokenview

$100 million stolen from Horizon Cross-Chain Bridge

On June 24, the Harmony team tweeted that the Horizon cross-chain bridge had been attacked, causing losses of about $100 million. On June 26, Harmony founder stephen tse said in a post that the Horizon attack was caused by a leak of private keys. Funds were stolen from the Ethereum side of the cross-chain bridge. The attackers successfully accessed and decrypted some of these keys, some of which were used to sign unauthorized transactions. Harmony is currently working with top blockchain tracing teams and the FBI to investigate the theft.

Horizon is an asset cross-chain bridge with Ethereum developed by Layer1 public chain Harmony. According to official sources, cross-chain bridge is a technology that connects two blockchains by verifying cross-chain transactions through two processes, including asset transfer and asset redemption:

• Ethereum-to-harmony Asset transfer process: Assets are locked on Ethereum and the same amount of assets are minted on Harmony.
• Harmony-to-ethereum asset redemption process: Assets minted on Harmony are destroyed and equivalent assets are unlocked on Ethereum.

In short, the Horizon cross-chain bridge allows assets to flow freely between the two blockchains of Ethereum-Harmony.

The Horizon Hack Incident

A total of 11 ERC20 tokens and 13,100 ETH were lost in the Horizon cross-chain bridge attack. 5,000 BNB and 640,000 BUSDs on BSC, totaling about $100 million.

Hacker address:
https://eth.tokenview.io/cn/address/0x0d043128146654c7683fbf30ac98d7b2285ded00

Transit address:
https://eth.tokenview.io/cn/address/0x9e91ae672e7f7330fc6b9bab9c259bd94cd08715
https://eth.tokenview.io/cn/address/0x58f4baccb411acef70a5f6dd174af7854fc48fa9

Private key leaked address:
https://eth.tokenview.io/cn/address/0xf845a7ee8477ad1fb4446651e548901a2635a915
https://eth.tokenview.io/cn/address/0x812d8622c6f3c45959439e7ede3c580da06f8f25

under attack Contract MultiSigWallet：
https://eth.tokenview.io/cn/address/0x715cdda5e9ad30a0ced14940f9997ee611496de6

Tokenview takes you through the whole attack, taking the 13,100 ETH lost in the first trading breach as an example:

1 The attacker exploits the address 0x812... that leaked the private key. 8f25 calls the contract 0x715... 6de6 for verification.

2 The cross-chain bridge is protected by a set of verifier nodes that submit cross-chain transaction confirmations through a multi-signature contract, but the contract only needs two verifiers to verify to allow cross-chain. The attacker took advantage of this point and finally successfully executed a transaction: 13,100 ETH was transferred to the attacker's address 0x0d0... ed00. The attacker has since repeatedly exploited this attack for profit.

On-chain asset tracking

On the Ethereum chain, the attacker transferred most of the tokens to two transit wallet addresses (0x9e9... 8715 and 0x58f... 8fa9) and convert the tokens to ETH, which is then transferred back to the initial attack address (0x0d0... D00). The address has racked up a profit of about 85,837 ETH.

On June 27, Horizon attackers transferred 18,036 stolen ETH to Tornado Cash in three batches totaling 18,033 ETH for blending, according to Tokenview data. The specific paths are as follows:

At 15:10:11 on June 27, the Horizon attacker transferred 18,036 ETH (about $22 million) to the new address 0x1ec... 6430.

At 15:11:06, the address transferred 6,012 ETH (approximately $7.38 million) to 0x43... 47Ae, and transferred to Tornado Cash in 100 ETH each.

At 19:17:40, the address transferred a second batch of 6,012 ETH to 0x45... 5970, still transferred to Tornado Cash in 100 ETH each.

At 23:48:52, the address again transferred 6,009 ETH to 0x8a... c3f4, still transferred to Tornado Cash in 100 ETH per transaction.

At 11:58:50 on June 28, the cross-chain bridge Horizon attacker address again transferred 18,036 ETH to the new address (0x809d... c5e4), then the new address to address (0x89f... bd8b) to 6,012 ETH. As of now, the balance of Horizon attacker address is 49,79.67ETH.

Conclusion

The attack on Horizon cross-chain bridge also triggered a hot discussion on how to ensure the security of Harmony verifier nodes. In this attack, the attacker took advantage of the small number of verifier nodes required to pass verification, resulting in the loss of about $100 million in assets. Since the event, Harmony has migrated the Ethereum side of the Horizon Bridge to 4/5 multisignatures (4 out of 5 required). Now that the attackers have started moving money through Tornado Cash, the Harmony team is working with the blockchain tracking and analysis team and the FBI to track the money.

Tokenview will also continue to monitor the latest developments of the Horizon cross-chain bridge attack.