Understanding The Harmony Horizon Bridge Attack
Harmony – a Layer-1 network, famous for its amazing speed of 2000 transactions per second, and (almost) braggy marketing about its blockchain bridge security, has been attacked right where you wouldn’t expect it. You guessed it right, it’s a bridge attack.
In 2018, Harmony began as a small startup, but it wasn’t until May of 2019, when it was launched on the Binance Launchpad, that it gained momentum. Harmony sought to address various problems in the blockchain ecosystem, including high throughput, improved scalability, cross shard communication, and maintaining security. Harmony later introduced cross-chain connectivity through its blockchain bridges, which were deemed secure. Today, however, these very bridges are the subject of our research.
With the increasing popularity and adoption of DeFi and blockchain technology, the importance of security and auditing cannot be overstated. The consequences of a security breach or vulnerability can be devastating, leading to loss of funds and damage to reputation.
This is why it is crucial to conduct regular audits and tests of smart contracts, Dapps, and blockchain protocols. By staying up-to-date with the latest security practices and engaging with reputable auditing firms, businesses and developers can ensure that their projects are secure and protected against potential threats.
But What Are Blockchain Bridges?
Bridges have always been considered as weak links in blockchain networks. They are relatively new and function in an interesting way. To create a bridge between BTC and ETH, BTC must first be converted into an Ethereum-compatible version of the same token, known as wBTC (wrapped BTC).
However, to ensure its function, collateral must be locked on the bridge, which, in this case, is BTC itself.
So What Went Wrong?
The incident occured in the morning of June 24th, when close to $100M worth of funds were exploited through the horizon bridge. There have always been doubts around the multi-signee horizon bridge wallet, which only requires 2 out of 4 signees to execute transactions.
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
And so it happened, the bridge was attacked and multiple altcoins were stolen. It was even pointed out by this twitter user, earlier in April.
Since the current narative du-jour is bridges & bridge hacks, I wanted to do some digging on the harmony bridge on Ethereum which secures ~$330m worth of tokens.
— Ape Dev (@_apedev) April 1, 2022
Harmony is currently conducting an investigation with PeckShield to determine the root cause of the recent issue. Although it is unclear how the hackers were able to sign two transactions, it is believed that they may have gained access to the private key of one of the wallets. The investigation is still ongoing and more information will be released as it becomes available.
To ensure the success and safety of your DeFi app, it is crucial to be cautious while writing smart contracts. Even if your code appears to be flawless, underlying issues can still lead to failure. One way to prevent this is by getting your smart contracts audited at Scrutify.
This process involves executing tests, reading docs, running automated tools, conducting manual code reviews, and preparing a detailed report. By taking these steps, you can ensure that your smart contracts are secure and protected against potential vulnerabilities.
The Auditing Process
An audit is a security focused code review with aim to identify issues in the code. Here’s how the auditing process works in detail:
- Executing Tests – The auditors execute your tests to ensure the functionality is intact
- Reading Docs/Understanding Business Logic
- Run Automated Tools (Slither, Mythril, Echidna)
- Manual Code Review
- Report Preparation
Before you send your smart contracts for an audit you must ensure that–
- Your code is well documented – Code documentation, Inline comments
- Your code is passing all test cases with at least 90% test coverage
- You are prepared to communicate to the auditors, as needed
- You are patient – Good audits take a long time
Know More about the process.