June 29th, 2022
In June 2022, the Harmony Horizon Bridge project was the victim of a hack that placed it in the top ten most expensive DeFi hacks. Compromised private keys allowed $100 million in tokens to be stolen from the project.
Like most cross-chain bridges, the Harmony Horizon Bridge has a validation process for approving transactions being transferred over the bridge. In this case, the approvals process uses a multi-signature scheme with five validators.
However, the bridge only used a 2 of 5 validation scheme. This means that only two blockchain accounts needed to be compromised for an attacker to approve any malicious transaction that they wished.
The Harmony Horizon bridge was exploited via the theft of two private keys. These private keys were encrypted with both a passphrase and a key management service, and no system had access to multiple plaintext keys. However, the attacker managed to access and decrypt multiple keys.
With access to two of the bridge’s private keys, the attacker could create a transaction extracting $100 million from the bridge and confirm it using two accounts under their control.
The attacker then used Tornado Cash to launder many of the stolen tokens.
Since the attack, the multi-signature scheme has been updated to require approval by 4 of the 5 validators.
The use of multi-signatures to manage high-value assets is best practice, but a 2 of 5 signature scheme provides little security. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk (i.e. storing keys on separate systems, protecting them with unique passphrases or keys, etc.) can help to prevent similar attacks in the future.