Harmony Bridge Postmortem

Harmony Bridge Exploit - June 24, 2022

Overview

The Harmony Bridge suffered a significant theft resulting in approximately $100 million in stolen funds. This marked the third major bridge exploit in the cryptocurrency space and the second incident where compromised private keys were the attack vector.

What Happened

Beginning at 11:06 UTC on June 24, 2022, an attacker systematically drained multiple bridges operated by the Harmony network:

• ETH Bridge: 13,100 ETH stolen

• BUSD Bridge: 5.5 million BUSD stolen

• ERC20 Bridge: Various token assets drained (see transaction data below)

• BSC: 5,000 BNB and 640,000 BUSD taken

The theft was announced over 14 hours after the initial fund movement began.

Technical Root Cause

The Harmony Bridge utilized "a 2 of 5 multisig" security model. The vulnerability stemmed from inadequate key management practices. Two critical addresses were compromised:

• 0xf845A7ee8477AD1FB4446651E548901a2635A915

• 0x812d8622C6F3c45959439e7ede3C580dA06f8f25

Attack Vector

The precise attack mechanism remains unconfirmed, though security analysts speculated that "they were hot wallets with private keys kept in plaintext." Had an attacker gained server access, acquiring both private keys would grant authorization to execute any transaction, including draining the bridge entirely.

Relevant Addresses & Transactions

Exploiter Primary Address: 0x0d043128146654c7683fbf30ac98d7b2285ded00

Bridge Contracts:

• ETH Bridge: 0xf9fb1c508ff49f78b60d3a96dea99fa5d7f3a8a6

• ERC20 Bridge: 0x2dCCDB493827E15a5dC8f8b72147E6c4A5620857

• BUSD Bridge: 0xfd53b1b4af84d59b20bf2c20ca89a6beeaa2c628

Key Transaction: 0x27981c7289c372e601c9475e5b5466310be18ed10b59d1ac840145f6e7804c97 (13.1k ETH transfer)

Stolen assets were subsequently moved through intermediate addresses before being swapped to ETH and consolidated in the attacker's main wallet.

Remediation

Following the exploit, Harmony increased the multisig requirement from 2-of-5 to 4-of-5 signatures. However, this response came only after the funds had already been stolen.

Prior Warnings

Security researcher @_apedev had specifically highlighted the bridge's security deficiencies in early April 2022, suggesting this vulnerability was publicly identifiable before exploitation occurred.