Harmony Horizon Bridge: Compromised Multisig Private Keys (Hot Wallets)
Harmony's $100M Horizon bridge was drained after attackers obtained private keys to two of the five multisig signers — the minimum number needed to authorise any transaction.
Summary #
Harmony Horizon Bridge suffered a Cross-Chain Bridge on 2022-06-23, resulting in a loss of approximately $100M.
What happened #
Harmony's $100M Horizon bridge was drained after attackers obtained private keys to two of the five multisig signers — the minimum number needed to authorise any transaction.
Linked factors #
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-028 — causal : ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers]
- RD-F-030 — causal : Hot-wallet signer flag on multisig [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers]