Our previous analysis showed that the exploiter had transferred the stolen crypto assets from the Horizon bridge to an address controlled by him via 9 transactions. Following that, the exploiter started swapping crypto assets such as WETH, SUSHI, AAVE, DAI, etc. into ETH via multiple smart contract calls. The exploiter then broke down 18k+ of the swapped ETH into smaller amounts and dispersed it into multiple wallets. Subsequently, he started moving funds into Tornado Cash.
Figure 1: Funds transferred to Tornado Cash by the Hacker
Depositing Stolen Funds into Tornado Cash
According to our analysis, the stolen funds were routed to Tornado Cash’s 100 ETH (T100) contract. We came to this conclusion by examining the spike in daily Deposit and Withdrawal volumes in the T100 contract between June 27 to July 2, 2022.
Figure 2: Spike in the Daily Deposit and Withdrawl volume in T100 contract
Based on the time lag between each subsequent deposit, it is highly probable that the exploiter used automated scripting to deposit funds.
Figure 3 - Time lag (approx 300-540) seconds between subsequent transactions
Receiving Mixed Funds from Tornado Cash
Using our custom heuristics, the Merkle Science team identified 148 addresses (withdrawal addresses) that the attacker used to receive the mixed stolen funds. Over 84,000 ETH was received by these 148 suspected addresses from the T100 contract addresses. Subsequently, after evaluating the group of 148 addresses, we were able to identify 7 addresses that have had outgoing transactions.
Of those 7 addresses with outgoing transactions, we have seen chain-hopping from Ethereum blockchain to:
- Bitcoin ⇌ Ethereum
- Binance Smart Chain ⇌ Ethereum
- Polygon ⇌ Ethereum
The stolen funds were converted into stablecoins and the chain-hopping was done using bridges such as RenVM and Multichain contracts. To hide the trail of funds, the exploiter tried to create many blockchain transactions, which would in turn ensure that the ultimate endpoint is lost in the data — in this process he attempted to throw off any sort of tracking by traditional blockchain analytics companies and law enforcement.
However, we were able to identify several overlapping points on the blockchain that were used in the process of swapping funds among different blockchains. These overlapping points include the repeated use of the same technique and addresses to swap the funds on the aforementioned blockchains.
Once bridged back to Ethereum, the stolen funds were subsequently dispersed into crypto exchanges.
Analyzing transaction time metrics to identify timezone of the hacker
If a user has made enough transactions on the blockchain, analyzing the transaction time metrics can sometimes tell you the timezone a user is operating in. In this case, the 850 transactions were grouped into buckets, and counts of these transactions by the hour of the day (0-23) were examined. According to our analysis, the exploiter lives in:
- Asia Timezone
- The time zone can be further isolated into +6GMT and +12GMT with a high confidence
Figure 4: Hour-of-day analysis of withdrawal transactions
What is the Horizon cross-chain bridge?
A cross-chain bridge connects two independent blockchains and enables an exchange of information, cryptocurrency, and NFTs from one blockchain network to another. The Horizon bridge facilitates token transfers from Ethereum (ETH), Binance Smart Chain (BSC), and Bitcoin (BTC) to the Harmony network. Meaning that users are able to send (ETH, ERC20, ERC721) tokens in a set, BNB, BEP20 assets, and Bitcoin to Harmony. In a tweet, Harmony confirmed that the crypto assets were stolen from the Ethereum side of the bridge and the trustless BTC bridge remains unaffected, and based on our analysis both ETH and BSC were exploited.
Security breaches and attacks on bridge platforms are on the rise. The news of the Horizon bridge attack comes shortly after the Ronin Network exploit, where The U.S. Department of the Treasury linked North Korea-based hacking group, Lazarus, to the theft of around $625 million worth of cryptocurrency. The attackers hacked private keys in order to forge fake withdrawals through two specific transactions.
The Ronin Network exploit came hot on the heels of the Wormhole bridge attack, which took place in February 2022. In this instance, attackers siphoned 120,000 Wrapped Ether (wETH) tokens, worth over $320 million at the time from the Wormhole bridge.
Prior to that, the Qubit Finance attack happened, where Qubit’s ETH-BSC bridge was exploited. The attackers took advantage of a logic error in Qubit’s smart contract to input malicious data and steal $80 million worth of cryptocurrency.
Essentially, bridges can be more vulnerable to attacks for many reasons, including:
- They require more interactions and contract approvals than the other protocols
- There is often low/no risk management of signatories which can result in accidental private key exposure
- They are, in some cases, run by insufficiently audited computer codes which are prone to exploitable bugs
The anatomy of the Horizon bridge breach
According to an analysis published by Polygon’s Chief Information Security Officer, Mudit Gupta, the attackers executed the exploit by taking control of the multi-signature (MultiSig) wallets leveraged in the Horizon Bridge. MultiSig wallets are digital wallets that can only be operated with multi-signature addresses. This means that two or more private keys are required to sign and authorize a crypto transaction.
In his tweet, Mudit Gupta explained that the bridge comprised of a 2 out of 5 MultiSig. This means that 2 keys, out of the total 5 keys, were required to validate transactions. The attackers compromised 2, most likely hot wallet addresses, to drain the money. He further opines that in all probability the attackers compromised the servers these hot wallets were running on and accessed the keys that were kept in “plaintext” for signing legitimate transactions. When a key is stored in “plaintext” it is in ordinary readable text and has not been encrypted. Therefore, attackers can access the key without necessarily decrypting it.
The Harmony Protocol has published a preliminary analysis of the attack. Firstly, Harmony’s incident response team reinforced that the exploit did not occur due to a breach of Harmony’s smart contract codes, or vulnerabilities on the Horizon platform. They also emphasized that the consensus (governance) layer of the Harmony blockchain remains secure. They discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge.
The incident report maintains that the private keys were not only encrypted and stored by Harmony, but a key management service was also in place and no single machine had access to multiple keys in plaintext. The attackers were able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH, and WBTC.
Next steps and remedial actions taken by the Harmony Protocol
The Harmony Protocol team stated that they have upgraded the Ethereum side of the Horizon bridge to a 4-of-5 MultiSig in the wake of the incident, and are working continuously to enhance their operations and infrastructure security. Furthermore, the team emphasized that it is working closely with law enforcement officials and blockchain tracing partners as a part of ongoing investigations.
They have also offered $1 million for the return of Horizon bridge funds and any information about the exploit. The Harmony Protocol team also claimed that they will advocate for no criminal charges after the funds are returned. Reportedly, the cryptosphere has raised concerns about the size of the bounty, which is just 1% of the total amount stolen. It has been suggested that the bounty fee may be insufficient to incentivize the attackers to return the stolen funds, particularly considering that our analysis shows funds have already been laundered through Tornado Cash.
Merkle Science’s on-chain analysis
According to Merkle Science’s analysis, on June 24, 2022, the Harmony Protocol’s Horizon was exploited for roughly 100 million in crypto assets, including WETH, SUSHI, AAVE, DAI, USDT, and USDC.
The attackers transferred the stolen crypto in 9 transactions from the Horizon bridge to this address:
H1 - 0x0d043128146654c7683fbf30ac98d7b2285ded00
They then moved the stolen crypto assets to the following addresses:
H2 - 0x9E91ae672E7f7330Fc6B9bAb9C259BD94Cd08715
H3 - 0x58F4BACcb411ACef70A5f6DD174Af7854fc48Fa9
The attackers then converted the stolen crypto assets from H2 and H3 into ETH via multiple smart contract calls. They then transferred the clean ETH back to H1.
Following this the attackers transferred 18K+ in ETH from H1 to a new address:
H4 - 0x1Ec6F83b55C3F4CeFc630442716872BA15f16430
They transferred those funds to three new addresses:
H5 - 0x4507AC1bdF4Ae5E61ffceC3A9AEDA312E2505970
H6 - 0x432A9Cb4353bed67EC5351734d4a44C0826847Ae
H7 - 0x8a0858888bEEb5D1435Ecd3657831699f169c3f4
And then transferred the majority of the funds from those addresses to coin mixer Tornado Cash.
The attackers also moved 18K+ in ETH from H1 to:
H8 - 0x8a0858888bEEb5D1435Ecd3657831699f169c3f4
Once again they split those funds across three new addresses:
H9 - 0x89f89D61644c6e606efb25A01210159f102FbD8b
H10 - 0x40eFc580e5cb5701797a762990D9E690108DADfD
H11 - 0x20dBCcD46eEF96A1b78383Cf0D26bB575EC00201
And ultimately again transferred the majority of the funds in these three addresses to Tornado Cash.
Meaning approximately 32% ($31.64M) of the total stolen funds were transferred to Tornado Cash, leaving a balance of just under 10K ETH in addresses H5 - 10.
Why Torando Cash?
Mixing services such as Tornado Cash help obfuscate crypto assets by breaking the link between the original asset address and a new one, thereby masking the money trail. Tornado Cash is the most popular coin mixing service on the Ethereum Blockchain. The service offers a set of smart contracts that enable the user to obfuscate their funds by cutting the link between their original address and the address they eventually receive the funds in.