Jun 27, 2022 Camille A. Hanard
Two days after the Horizon bridge exploit, the Harmony team announced they will grant $1 million bounty for the return of $100 million worth of digital assets and for sharing information on the exploit. Harmony also assures that no criminal charges will be taken against the attacker if the stolen assets are returned.
We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.— Harmony 💙 (@harmonyprotocol) June 26, 2022
Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will advocate for no criminal charges when funds are returned.
The crypto community, however, has doubted that this measure will incentivize the attacker to cooperate pointing at the modest bounty rewards constituting only 1% of the stolen amount.
1M?— 찌 G 跻 じ Goblin 𝙎𝙚𝙣𝙥𝙖𝙞 of the 𝙃𝙚𝙣𝙩𝙖𝙞 (@DegenSpartan) June 26, 2022
insulting amount, gfy https://t.co/TgZ0gDOC43
Following the incident, the founder of Harmony Stephen Tse wrote on Twitter that the exploit did not happen due to a smart contract bug. “The team has found evidence that private keys were compromised, leading to the breach of our Horizon bridge. Funds were stolen from the Ethereum side of the bridge”.
1/ An incident response update on the Horizon bridge hack 🧵— stephen tse 💙 s.one 🌉 stse.eth (@stse) June 26, 2022
Confidentiality is key to maintain integrity as part of this ongoing investigation. The omission of specific details is to protect sensitive data in the interest of our community.
In addition, Tse claims that Harmony’s private keys were doubly encrypted using a passphrase and a key management service. However, the attacker managed to access and decrypt some of these private keys to sign unauthorized transactions.
As of the time of this writing, the attackers had just started moving some of the stolen funds, with $22 million of them already transferred to another wallet from which they are being syphoned to a Tornado Cash intermediary address.