Understanding The Harmony Horizon Bridge Attack

Harmony – a Layer-1 network, famous for its amazing speed of 2000 transactions per second, and (almost) braggy marketing about its blockchain bridge security, has been attacked right where you wouldn’t expect it. You guessed it right, it’s a bridge attack.

For those of you who are unaware, Harmony started as a small startup in 2018, but didn’t take off until May of 2019, when it was finally launched on the Binance Launchpad. And to be fair, Harmony brought many promising changes to the existing problems in the blockchain ecosystem.

Things like high throughput, improved scalability, cross shard communication all while maintaining security was quite big at the time. Later it also introduced cross-chain connectivity through its blockchain bridges. And today, those very ‘secure’ bridges are the subject of our research.

But What Are Blockchain Bridges?

Bridges have always been weak links to a blockchain. They’re relatively new, and the way they work is quite interesting. Say if a bridge was to be created between btc and eth, btc would first be converted into an ethereum compatible version of the same token.

This is called wrapping the token, and what you get is wBTC (wrapped BTC). For this to work however, you need to lock some collateral on the bridge, which in our case is BTC itself.

So What Went Wrong?

The incident occured in the morning of June 24th, when close to $100M worth of funds were exploited through the horizon bridge. There have always been doubts around the multi-signee horizon bridge wallet, which only requires 2 out of 4 signees to execute transactions.

And so it happened, the bridge was attacked and multiple altcoins were stolen. It was even pointed out by this twitter user, earlier in April.

Harmony took to peckshield, to investigate this issue. The investigation is still in progress, and while not much can be said about how the hackers were able to sign two transactions, it is suspected that the hackers somehow had access to the private key of one of the wallets.

Don’t want us to cover you like this? Get your DApps tested and secured at Lapits today

Smart contracts are the life and soul of any DeFi app, your code can be flawless but might still fail because of underlying issues. You can prevent that from happening, by getting your smart contracts audited at Lapits.

The Auditing Process

An audit is a security focused code review with aim to identify issues in the code. Here’s how the auditing process works in detail:

  1. Executing Tests – The auditors execute your tests to ensure the functionality is intact
  2. Reading Docs/Understanding Business Logic
  3. Run Automated Tools (Slither, Mythril, Echidna)
  4. Manual Code Review
  5. Report Preparation

Prerequisites

Before you send your smart contracts for an audit you must ensure that–

  1. Your code is well documented – Code documentation, Inline comments
  2. Your code is passing all test cases with at least 90% test coverage
  3. You are prepared to communicate to the auditors, as needed
  4. You are patient – Good audits take a long time

Know More about the process.