Harmony’s Horizon Bridge Attack: How $100M was Siphoned By a Hacker

Harmony's Horizon Bridge Attack: How $100M was Siphoned By a Hacker

Blockchain technology is unquestionably a significant accomplishment. The evolution of the technology has birthed numerous solutions and use cases across various industries. Yet, some aspect of the technology still needs improvement due to blockchain still being in its nascent stage. One of the hurdles or obstacles of blockchain projects is their constricted interoperability.

Interoperability here is the ability of heterogeneous blockchain networks to exchange data or information. Simply put, interoperability is when you can send an ERC-20 token to a Bitcoin network seamlessly or the ability to send BTC directly to a MetaMask wallet without wrapping it.

One of the solutions to this limited interoperability within heterogeneous blockchain networks is the “Bridge”–Blockchain Bridge.

What is a Blockchain Bridge?

Just like the conventional structural bridge links two lands or areas separated by an obstacle, Bridges in blockchain also establish a link between heterogeneous blockchain networks. A blockchain bridge is a mechanism or tool that describes the minting and burning processes to establish a stable supply of tokens between two heterogeneous blockchains.

Bridges enable interoperability between heterogeneous blockchain protocols. This is done by locking a particular token in one blockchain network, and you mint the equivalent of the locked token on the second blockchain that was bridged to the former. This transfer process is done under the min-and-burn protocol. There are side chain bridges and cross-chain bridges.

Side chain bridges are usually when side blockchains are bridged to their main or source blockchain. But Cross-chain bridges are when two heterogeneous blockchains are bridged together. An example of such a cross-chain bridge is the Harmony Bridge –a.k.a. Horizon Bridge.

What is Harmony Bridge?

Harmony is a PoS layer-1 blockchain developed by Stephen Tse in 2019, with ONE being its native cryptocurrency. According to harmony.one, the Harmony Bridge is a cross-chain bridge that can connect any PoW and PoS chains. It is a multi-chain platform that uses its interoperability feature to unstuck users from sticking to a single blockchain. Its bridges offer cross-chain transfers with Bitcoin, Ethereum, and Binance smart chain.

On Friday, June 24, the Harmony Bridge was attacked, and altcoins to the tune of $100 million were swapped for ETH and siphoned. This was announced in their official blog post, where the attacker’s address was released.


The attack was successful because two validators’ private keys were suspected to be compromised. The bridge previously was reportedly secured by a 2-of-4 multisig, meaning two signatures are required to move assets. In the wake of the attack, the 2-of-4 multisig has been leveled up to 4-of-5 multisig, according to a tweet from Stephen Tse.

Before the attack, concerns were raised in April about the reliability of Harmony’s multisig wallet on Ethereum, which requires only two of the four signers to withdraw assets.

During the attack, twelve tokens amounting to $99,002,448 million was siphoned from the Ethereum wallet, while tokens amounting to $1,801,587 million was siphoned from the BSC wallet. The stolen tokens–BNB, BUSD, ETH, WBTC, WETH, AAVE, USDC, AAG, SUSHI, USDT, FXS, FRAX, and DAI– was swapped for ETH on the Uniswap DEX, and ETH was sent back to the attacker’s original address.

The stolen assets were still held in the attacker’s address, but on June 27, the attacker started laundering the asset through a crypto mixer. The mixing service of Tornado Cash was particularly used; the mixing service enables users to pool sizeable cryptocurrencies and swap them into another coin. This process conceals transaction trails by obfuscating the origin of such cryptocurrencies. It is usually used to launder stolen crypto assets.

According to blockchain analysis by the blockchain security company, the attacker has laundered about $36 million worth of ETH through the crypto mixer. However, Elliptic has successfully implemented its Tornado demixing algorithm to trace the stolen crypto through Tornado Cash. The funds were traced to a series of new Ethereum wallets. With the demixing algorithm, crypto exchange platforms and investors can utilize Elliptic’s transaction screening software to identify any incoming crypto originating from the Harmony’s Bridge attack.

Harmony blockchain has offered a bounty of $1 million for the return of the stolen assets, stressing further that criminal charges against the culprit will be dropped if returned.


In the wake of Elliptic’s forensic investigation, the Lazarus Group, a known cybercriminal group with ties to North Korea, has been fingered in the attack because of how the digital assets were siphoned and then laundered. The notorious group has reportedly stolen cryptocurrencies to $2 billion. The group is believed to be responsible for the Axie’s Ronin Bridge hack in late March.

Though there’s no direct evidence pointing to the Lazarus, most factors like timing, region, and patterns of how the attack was hatched are similar to their digital signature. It is worth noting that both Ronin and Harmony Bridge are cross-chain bridges.


The attacker obviously leveraged on the 2-of-4 multisig and used two validator’s nodes to siphon cryptocurrency. Though the protocol has been beefed up to 4-of-5 multisig in the wake of the attack, project developers should adopt more stringent security protocol to protect their projects from cyber-attack. The required signature should be raised to more than 70% of the validator securing it.

Recall that the Ronin Bridge is secured by nine validators. With 5-of-9 multisig, the Lazarus was able to control the five required nodes and stole assets worth over $600 million from the bridge. Increasing the signee needed to about 8-of-9 will help secure the Bridge and make it less susceptible to similar or further attacks due to the financial cost and computing power required.

Undoubtedly, the Harmony bridge attack has led to a panic withdrawal from the bridge due to FUD.

However, the attack did not affect the BTC bridge, and the blockchain is working assiduously with security outfits to identify the culprit and reclaim the stolen assets.

Leave a Reply

Your email address will not be published.