Harmony Protocol Offers $1M Bounty Following Massive Exploit

Key Insights:

• Harmony’s Horizon bridge was exploited for $100M on Friday.
• The team’s 1% bounty may not be enough incentive for the attackers.
• The funds remain in the hacker’s wallet and have yet to be moved or ‘cleaned.’ 

Late last week, the high-throughput layer-1 blockchain platform Harmony became the latest victim of a bridge exploit. Around $100 million in various crypto assets were stolen from the protocol due to a vulnerability in a multi-signature wallet connected to the Horizon bridge. The bridge allows assets to be transferred to and from Harmony and other networks such as Ethereum and Bitcoin (BTC).

On June 26, the Harmony team offered a million-dollar bounty for the return of the funds. It also promised to advocate for no legal charges.

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.

Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony will advocate for no criminal charges when funds are returned.

— Harmony 💙 (@harmonyprotocol) June 26, 2022

Is It Enough?

The theft makes Harmony the fourteenth-largest industry exploit, according to Defiyield’s Rekt database (which has yet to be updated).  However, the 1% bounty is one of the smallest offered so far, so they may have to up the incentive a little to have any hope of funds being returned.

At the time of writing, the funds were still in the hacker’s address which held 85,867 ETH worth approximately $104.6 million. If the assets start moving to anonymizing services such as Tornado Cash, Harmony can kiss goodbye any hopes of retrieval.

There was plenty of reaction from the crypto community, with many suggesting that the amount offered was too low. Others pointed out that providing bounties doesn’t solve the problem and, if anything, may even encourage hackers.

“Isn’t it funny to actually reward the hackers with $1M dollars for returning the fund when they can get away with $100M?” one commented before adding, “even if they accept the offer, the same hackers will and again comprise another system? Problem isn’t solved.”

The exploit, which resulted from a private key breach, not a smart contract bug, is the latest cross-chain bridge attack this year. On June 26, Harmony stated:

“The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge. Funds were stolen from the Ethereum side of the bridge.”

The attacker was able to access and decrypt a number of these keys and use them to sign unauthorized transactions, it added.

Hackers have been increasingly targeting these conduits between different networks. In February, hackers stole $320 million from the Wormhole bridge; then, the following month came the industry’s largest attack. More than $600 million was stolen in an attack on Axie Infinitie’s Ronin bridge in March.

ONE Token Outlook

Harmony’s native token, ONE, is still in decline, having lost more than 12% since the attack. It was down around 5.3% on the day, trading at $0.023 during the Monday morning Asian trading session.

ONE has lost 42% over the past month and has collapsed 94% from its October all-time high of $0.379.