Harmony offers $1M bounty, but is it big enough?

Published at: June 27, 2022

The Harmony layer-1 blockchain project team has offered a bounty equal to just 1% of the $100 million in crypto stolen from the Horizon Bridge hack last week. 

Harmony tweeted on June 26 that the team had committed $1 million for the return of the funds that were stolen from the Horizon Bridge on Thursday. It added, “Harmony will advocate for no criminal charges when funds are returned.”

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information. Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will advocate for no criminal charges when funds are returned.

— Harmony (@harmonyprotocol) June 26, 2022

However, concerns have been raised that the modest bounty sum may not be enough to incentivize the attacker to return the funds.

The Horizon Bridge is a token bridge between the Harmony blockchain and the Ethereum network, Binance Chain, and Bitcoin. The Bitcoin bridge was not affected in this exploit.

Compared to other high-profile exploits this year, Harmony’s bounty offer ranks low. The $10 million offered to the Rari Fuse attacker in May was 12.5% of the total stolen. The Beanstalk Finance team offered $7.6 million which was 10% of the total exploited from the protocol in April.

Harmony’s bounty offer is so low that the crypto trader known on Twitter as Degen Spartan called it an “insulting amount.” He added, “imagine losing 100m and thinking you're in a position to lowball for a 1% bounty lmwo these people are just doing performance art to mitigate legal liability.”

1M?insulting amount, gfy https://t.co/TgZ0gDOC43

— 찌 G 跻 じ Goblin of the (@DegenSpartan) June 26, 2022

In an incident response update on the Horizon bridge hack on June 25, Harmony founder Stephen Tse tweeted that the hack was not the result of a smart contract code breach. Instead, the team found evidence that private keys were compromised, which led to the breach of the bridge.

1/ An incident response update on the Horizon bridge hack Confidentiality is key to maintain integrity as part of this ongoing investigation. The omission of specific details is to protect sensitive data in the interest of our community.

— stephen tse s.one stse.eth (@stse) June 26, 2022

Tse said that the Ethereum side of the bridge had migrated “to a 4-5 multisig since the incident.” The vulnerability of the multisig wallet requiring just two out of five signers was brought up by a community member in April, but the issue was not addressed by the Harmony team until now.

A multisig wallet is a crypto wallet that requires multiple key holders to approve a transaction. These wallets are commonly used at crypto projects.

As of the time of writing, the Horizon Bridge hacker has not moved the stolen funds into Tornado Cash, an Ether (ETH) mixer, or any other anonymizer.

Related: How can crypto stop getting hacked?

Hope is not lost for Harmony, as its $1 million bounty is not the smallest proportional to the amount of funds lost. In 2021, the Poly Network interoperability platform was hacked for $610 million. The team’s bounty offer of $500,000 was 0.08% of the total stolen. The offer was rejected, but luckily the funds were returned anyway.

Tags
Related Posts
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
What is a honeypot crypto scam and how to spot it?
What is a crypto honeypot and why is it used? Smart contracts programs across a decentralized network of nodes can be executed on modern blockchains like Ethereum. Smart contracts are becoming more popular and valuable, making them a more appealing target for attackers. Several smart contracts have been targeted by hackers in recent years. However, a new trend appears to be gaining traction; namely, attackers are no longer looking for susceptible contracts but are adopting a more proactive strategy. Instead, they aim to trick their victims into falling into traps by sending out contracts that appear to be vulnerable but …
Adoption / Dec. 26, 2021
BitKeep exploiter used phishing sites to lure in users: Report
The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink. The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker. 【12-26 #BitKeep Hack Event Summary】 1/n According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker …
Ethereum / Dec. 26, 2022
Uniswap's BNB deployment should use multiple bridges, claims LIFI CEO
As Uniswap DAO’s vote to deploy to BNB chain continues, LIFI CEO Phillip Zentner argued in a February 6 forum post that the current proposal is flawed. According to him, the plan to use Wormhole as the sole governance bridge for Uniswap should be abandoned. Instead, he claimed that Uniswap researchers should work on a standardized system for using multiple bridges to handle governance decisions. The ongoing discussion on @Uniswap's forum is critical for the multi-chain ecosystem in 2023. TL;DR: Uniswap's model for x-chain governance will likely become industry standard. As an unbiased member of the community, @lifiprotocol is rooting …
Trading / Feb. 8, 2023
Uniswap DAO debate shows devs still struggle to secure cross-chain bridges
Over $2.5 billion was stolen in cross-chain crypto bridge hacks from 2021 to 2022, according to a report by Token Terminal. But, despite several attempts by developers to improve bridge security, a debate from December 2022 to January 2023 on the Uniswap DAO forums has laid bare security weaknesses that continue to exist in blockchain bridges. In the past, bridges like Ronin and Horizon used multisig wallets to ensure that only bridge validators could authorize withdrawals. For example, Ronin required five out of nine signatures to withdraw, whereas Horizon required two out of five. But attackers figured out how to …
Blockchain / Feb. 26, 2023