June 24, 2022
Harmony Bridge Hacked for $100M due to Suspected Private Key Compromise
On June 24, Harmony Bridge was hacked for about $100M due to suspected private key compromise. Here’s our analysis of this incident.
Harmony Bridge is a cross-chain bridge with five validators for operational verification. The main reason for this attack is that the private keys of two validators are suspected to be compromised, resulting in the confirmTransaction function of the contract to be called successfully.
Addresses with suspected private key compromise:
The private key compromise address 0x812d86 calls the confirmTransaction function of the 0x715cdd contract for operation verification, and the transactionId for verification is 21107 (here the transactionId of 21107 is used as an example).
It can be found that in this transaction, the validation of isConfirmed returns true.
However, a validator node query in the contract shows that although there are five owners, only two have been verified.
The attacker then uses these two validator nodes to successfully get the corresponding tokens using external_call and repeatedly exploits this attack to profit.
The project subsequently changed the number of validator nodes required to pass from 2 to 4 via transactionId of 21126 (120531 on BNB Chain).
The attack resulted in the loss of 85,867 ETH, 990 AAVE and 78,500,000 AAG on Ethereum, and 5,000 BNB and 640,000 BUSD on BNB Chain, for a total of about $100,428,116. The stolen funds are still held at the attacker’s address.
The attacker took advantage of the low number of validator node verification requirements and used two validator nodes to steal millions of dollars in assets. It is recommended that the project owner try to choose more nodes when designing the number of validator verification requirements and do a good job of validator security.
If you have need any blockchain security services, please contact us:
Related Project Secure Score
Guess you like
A Research Into Vulnerabilities in NFT Platforms
June 28, 2022
A Research Into NFT Whitelist Bypass Vulnerability
June 24, 2022
Hype, Plagiarism, Insider Fraud, NFT Scams on OpenSea and Security Advice
July 25, 2022
Creating a $9 billion valuation in 5 years: what is Optimism?
June 07, 2022