Harmony Hacker Declines $1M Whitehat Offer, Begins Laundering Stolen Funds
Late last week, Harmony Protocol’s bridge to the BSC and Ethereum networks was exploited, leading to a loss of $100 million worth of ETH.
Following a curiously underwhelming statement that at least the bitcoin bridge was unaffected, the Harmony team announced that they are working with “national authorities and forensic specialists” in order to recover the stolen funds from the as yet unidentified exploiters.
Multi-Sig Security Improved
Owing that the exploit was carried out by abusing the weak security of Harmony’s multi-sig wallet, the project’s devs have since changed the previous multi-sig setup – requiring 2 out of 4 signatures to process a transaction – to a 4 out of 5 signature setup.
“We have migrated the Ethereum side of the Horizon bridge to a 4-of-5 multi-sig since the incident. We will continue taking steps to further harden our operations and infrastructure security. To reiterate, we are in the middle of an ongoing investigation. We will continue to keep everyone up-to-date and appreciate your patience and support.”
Although the vulnerability initially reported by independent researchers in April was only fixed after disaster struck, it’s better late than never. The team also attempted to turn back the clock on past failures, offering to bury the hatchet if 99% of the funds were returned – a proposition mostly met with gallows humor and general derision by the Harmony community.
We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.
Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will advocate for no criminal charges when funds are returned.
— Harmony (@harmonyprotocol) June 26, 2022
Olive Branch Completely Ignored
Unlike the happy ending to the Optimism debacle earlier this month, the Harmony exploiter did not deign to reply to the offer of a $1 million bounty and dropped charges in exchange for the return of the remaining ETH stolen.
Instead, the exploiter proceeded to launder the swiped ETH via TornadoCash, a service often used by cybercriminals in order to obfuscate the origin of ill-begotten crypto tokens.
#PeckShieldAlert ~18k $ETH (~22m) into 0x1e…6430 from @harmonyprotocol exploiters pic.twitter.com/NN4j5Korsz
— PeckShieldAlert (@PeckShieldAlert) June 27, 2022
The stolen assets are being laundered across multiple transactions at a rate of 100 ETH roughly every 6 minutes. At the time of writing, over $50 million worth of ETH has already been routed through TornadoCash, signifying a refusal of Harmony’s terms.
With the heartfelt – if underwhelming – attempt at resolving the issue amicably falling through, Harmony will have to rely on the forensic specialists and authorities they evoked at the time of the attack.
However, there is no guarantee that they will be able to resolve the situation either. If all else fails, this series of events should at least be an eye-opener for those in the community who may not be taking the security of their projects seriously enough.