Skip to main content

Near $100 million stolen: Analysis of the Horizon Cross-Chain Bridge Attack | Tokenview

tokenviewAbout 3 min

Near $100 million stolen: Analysis of the Horizon Cross-Chain Bridge Attack | Tokenview

$100 million stolen from Horizon Cross-Chain Bridge

On June 24, the Harmony team tweeted that the Horizon cross-chain bridge had been attacked, causing losses of about $100 million. On June 26, Harmony founder stephen tse said in a post that the Horizon attack was caused by a leak of private keys. Funds were stolen from the Ethereum side of the cross-chain bridge. The attackers successfully accessed and decrypted some of these keys, some of which were used to sign unauthorized transactions. Harmony is currently working with top blockchain tracing teams and the FBI to investigate the theft.

Horizon is an asset cross-chain bridge with Ethereum developed by Layer1 public chain Harmony. According to official sources, cross-chain bridge is a technology that connects two blockchains by verifying cross-chain transactions through two processes, including asset transfer and asset redemption:

  • Ethereum-to-harmony Asset transfer process: Assets are locked on Ethereum and the same amount of assets are minted on Harmony.
  • Harmony-to-ethereum asset redemption process: Assets minted on Harmony are destroyed and equivalent assets are unlocked on Ethereum.

In short, the Horizon cross-chain bridge allows assets to flow freely between the two blockchains of Ethereum-Harmony.

The Horizon Hack Incident

A total of 11 ERC20 tokens and 13,100 ETH were lost in the Horizon cross-chain bridge attack. 5,000 BNB and 640,000 BUSDs on BSC, totaling about $100 million.

Hacker address:

Transit address:

Private key leaked address:

under attack Contract MultiSigWallet:

Tokenview takes you through the whole attack, taking the 13,100 ETH lost in the first trading breach as an example:

1 The attacker exploits the address 0x812... that leaked the private key. 8f25 calls the contract 0x715... 6de6 for verification.

2 The cross-chain bridge is protected by a set of verifier nodes that submit cross-chain transaction confirmations through a multi-signature contract, but the contract only needs two verifiers to verify to allow cross-chain. The attacker took advantage of this point and finally successfully executed a transaction: 13,100 ETH was transferred to the attacker's address 0x0d0... ed00. The attacker has since repeatedly exploited this attack for profit.

Horizon The cross-chain bridge was attacked
Horizon The cross-chain bridge was attacked

On-chain asset tracking

On the Ethereum chain, the attacker transferred most of the tokens to two transit wallet addresses (0x9e9... 8715 and 0x58f... 8fa9) and convert the tokens to ETH, which is then transferred back to the initial attack address (0x0d0... D00). The address has racked up a profit of about 85,837 ETH.

On June 27, Horizon attackers transferred 18,036 stolen ETH to Tornado Cash in three batches totaling 18,033 ETH for blending, according to Tokenview data. The specific paths are as follows:

At 15:10:11 on June 27, the Horizon attacker transferred 18,036 ETH (about $22 million) to the new address 0x1ec... 6430.

Horizon The cross-chain bridge was attacked At 15:11:06, the address transferred 6,012 ETH (approximately $7.38 million) to 0x43... 47Ae, and transferred to Tornado Cash in 100 ETH each.

At 19:17:40, the address transferred a second batch of 6,012 ETH to 0x45... 5970, still transferred to Tornado Cash in 100 ETH each.

At 23:48:52, the address again transferred 6,009 ETH to 0x8a... c3f4, still transferred to Tornado Cash in 100 ETH per transaction.

At 11:58:50 on June 28, the cross-chain bridge Horizon attacker address again transferred 18,036 ETH to the new address (0x809d... c5e4), then the new address to address (0x89f... bd8b) to 6,012 ETH. As of now, the balance of Horizon attacker address is 49,79.67ETH.

Horizon The cross-chain bridge was attacked
Horizon The cross-chain bridge was attacked


The attack on Horizon cross-chain bridge also triggered a hot discussion on how to ensure the security of Harmony verifier nodes. In this attack, the attacker took advantage of the small number of verifier nodes required to pass verification, resulting in the loss of about $100 million in assets. Since the event, Harmony has migrated the Ethereum side of the Horizon Bridge to 4/5 multisignatures (4 out of 5 required). Now that the attackers have started moving money through Tornado Cash, the Harmony team is working with the blockchain tracking and analysis team and the FBI to track the money.

Tokenview will also continue to monitor the latest developments of the Horizon cross-chain bridge attack.

Last update: