Harmony Blockchain Loses Nearly $100M From Hacked Private Keys – Naked Security

0

Another day, another de-fi (decentralized finance) attack.

This time around, online smart contract company Harmony, which bills itself as an “open and fast blockchain,” has had more than $80,000,000 worth of Ether cryptocoins stolen.

Surprisingly (or unsurprisingly, depending on your point of view), if you visit Harmony’s website, you probably won’t even notice the massive loss the company just suffered.

Even the company’s official blog linked from the website doesn’t mention it.

The most recent blog article is from early 2022 and is titled Lost funds investigation report.

Unfortunately, this lost funds are not this lost money.

Apparently early in the year this Lost funds happened when five people were ripped off for just over 19 million Harmony’s ONE tokens, which were apparently worth about 25 US cents each at the time.

Harmony made an offer on January 4, 2022 stating:

We want to give the suspect an opportunity to communicate with the Harmony Foundation and return any funds. Harmony will not take any further legal action or reveal your identity as long as we receive your full cooperation. The team will offer you a bounty to uncover how this theft was carried out as long as it can be validated.

We’re not sure it’s legal for a company to offer to rewrite history to pretend that an unauthorized and likely illegal hack was actually legitimate research, although the infamous $600 million hack did from Poly Networks seemed to work.

The perpetrator of the crack, in this case, made a barrage of weird pseudo-political blockchain announcements ALL IN CAPS, written in artificially bad English, to claim that money was not the motivator behind the crime.

Ultimately, after currying favor with the nickname Mr. White HatPoly Networks (to the amazement of many people, including our own) got most of their funds back.

We’re also not sure how much protection from prosecution an offer by the victim not to “press charges” will provide, since in many countries the decision to identify, charge, and prosecute suspects is typically the state’s decision.

Some countries, such as England, while giving private individuals (including professional bodies or charities) the right to bring a private prosecution if the state does not want them to do so, they do not give crime victims a ‘residual right’ to prevent the state from admitting a case pursue if he so desires.

Nonetheless, Poly Networks’ unexpected success in recovering more than half a billion dollars has encouraged other cryptocurrency companies to try this “clean slate” approach, presumably on the grounds that there’s often not much more they can do…

…but it doesn’t seem to work very often.

It certainly didn’t seem to be working out for Harmony in January 2022, but if the offender hasn’t yet cashed out his ill-gotten gains, he may regret not taking up the offer.

By Jan. 15, 2022, when Harmony’s fake “bug bounty offer” expired, ONE tokens peaked at $0.35, according to CoinGecko, but have since fallen below 2.5 cents apiece.

Back to the not-a-breach

That hasn’t stopped Harmony from trying the bug bounty-based historical revisionist approach again, contacting the June 2022 hacker via the Ether blockchain to say:

The Harmony team is interested in communicating and negotiating. 
Please reach out at [email protected] to start a conversation. 
Communication can be anonymous.
ID: 0xc8f0dbe83ef36ab59c1fd57099d5ed98c65ff71d0cc69d0084ca570ee26141bb

Since then, numerous other chancers, jokers, and crypto commentators have also turned to blockchain to say…

Technology is the primary productive force, amazing, 
great god, I hope you can give me some tokens, 
I wish you good luck and get away perfectly
ID: x337edbfeb3c6aba36b02e90015be51f0057995eebbe6d8d1f26205ed8449d19c 

1 for bless you
6 for stress you
ID: 0x08b7f4914dab2170cdc2ed2cc9760c8478bb3652670cb2fe16f5302c3ad98701

Hello, I think your skills are very good and I admire you very much. 
I heard that you are being investigated. I wish you good luck. 
Also, can you send me a little eth if you can? 
I am a poor man with a family to support and my children are still young, 
thank you so much, God bless you
ID: 0x505e8914fd0e926e53ef85ba78b7a4e73db564f36fa62a3585383f7cd33be2c8

大哥,给我发1个eth,我感谢你呀,大佬呀,你试大佬啊,你真的是大佬
(Bro, send me 1 eth. I thank you, bro. You really are my bro!)
ID: 0x14ced8b1ec700ce93413e3e537c75beffd7846a68bbda53cabb5cf641296a02e

I love you, will you have e-sex with me?
ID: 0x77dfa12c1d21d7385764d48a72c075c12a1ccd843457e4e364e2a7249fbe9cff

In case you are wondering, the hacker(s) appear to have made off with at least the following funds, with the US dollar values ​​below calculated based on a rate of ETH1 = $1100 (the rate at the time of writing). became [2022-06-27T17:50Z] is actually closer to $1200 than $1100):

ETH total IN    Approx value    Transaction ID
--------------  --------------  ------------------------------------------------------------------
ETH  4,570.000   $5,027,000.00  0xb4d60d5161b8508098d9c21834377eaded6b8668d205dfe4bfa7b6dd30f7a192
ETH  3,899.000   $4,288,900.00  0x9cdf447483508d632c5531c5dac8ed31486c0f054c0004bc80a9e07521b3d506
ETH  7,077.000   $7,784,700.00  0xb1d78f2eeea53f1624eea3020409d47c55c868ecf3e0f896e672d04f23fac007
ETH  9,850.000  $10,835,000.00  0x9eced2a4fbc3d95a8ea1a10dd4215b6bf7cbc633d06405e9f052a35f11c59f69
ETH  4,439.000   $4,882,900.00  0x4cceded4cce367631ab6cc11288bd0840d9f9a537b982e1b903205f274fc38a4
ETH  4,431.000   $4,874,100.00  0x9cd567022752e35be9bb429e030a28efad63bcd86ffb3c48ac661c5f966e7aab
ETH  7,990.000   $8,789,000.00  0xdd37bafa2b0941df21e5c5f97558462b394a6013f756954700060ccd354f7eb2
ETH  5,380.000   $5,918,000.00  0xc8382891f4c60c86e5485816a3d79dc5a96b77ad1538b3eb1ee747f7cc18bc46
ETH 14,190.000  $15,609,000.00  0x8447ae8f9367d2f9217355065f620c4e099bfe0ecb4db0e94eb2b32246c859c7
ETH  4,965.000   $5,461,500.00  0x6650ff5c97a026258a25f9e8b15f77f68f34f6f9d5fd39b28bcce316f3b8ef87
ETH  4,919.000   $5,410,900.00  0x02a9727da800d2bb2000f346b28e925d3fffcd88f4ec2e5c0df6753dc8873139
ETH     43.394      $47,733.49  0x3eb9dd782d1c80b292c068ad657f444cba842e6757d1f3b4190c79d7651164b2
ETH    911.000   $1,002,100.00  0x134baf1e5da1ad9f2c99cad48149ac629fdf51cb44a14370756dc02c06510b99
ETH     75.000      $82,500.00  0x62a0a9f6a3ce55f7af494a0e8735a2ba00c5f30cc7b662b899db91099a3dfe60
ETH     30.000      $33,000.00  0x31b5e79ea63ffe4cc00521ec5d2224953ee0ce0cc7cf2284063c02dd494d1e15
--------------  -------------- 
ETH 72,769.394  $80,046,333.49

Earlier today, despite Harmony offer a “bonus” of $1,000,000 and a statement that she will “not endorse any criminal charges”…

… the hacker appears to have withdrawn a sizable chunk of the aforementioned ETH 72,769 to an account that does not appear to be connected to, or at least not claimed by, Harmony:

ETH total OUT   Approx value    Transaction ID
--------------  --------------  ------------------------------------------------------------------
ETH 18,036.300  $19,839,930.00  0x2f259dec682ccd6517c09b771d6edb439f1925e87b562a72649a708fdd0511e1

At least one obviously panicked customer came forward, more desperate and eloquent than some of the other commenters, to say:

BISH! DIDN'T YO MAMA TEACH YOU NO MANNERS? 
WHAT THIS SENDING 7m ONLY. 
JUST SEND US SOMETHING LET US KNOW 
YOU TAKING THE RIGHTEOUS PATH. 
OHH I SEE SO NOW YOU HAVE 97m IN ETHER AND 
JUST TAKING OFF A LITTLE OF THAT CREAM. 
OKAY BISH LOOKING GOOD YOU RETURN THAT 97M 
AND HARMONY CREW GOTS TO RESPECT THAT, 
3 A MAGIC NUMBER AND ALL THAT SHI. 
I AIN'T SLEPT FOR DAYS, 
GIVE US A SIGNAL BISH, ANYTHING!!!!
ID: 0x3db5cd2270c27808d282a3efccd33342da69312ba07561e2a11a6f1716b0b259

What happened?

Harmony’s previous report suggests that the attacker or attackers aborted this heist despite the fraudulent transactions, which required multiple signers, with each signer splitting their private key between two locations, one local and one on a key server.

Unfortunately, it appears that although the “multisig” process in this case required two out of five trusted parties to sign together, the attackers were nonetheless able to compromise two of the five required private keys.

Apparently, Harmony has now decided to require four of the five trusted parties to sign jointly, although one could argue that if two of the five trusted parties have demonstrated their unreliability, this is tantamount to restoring the status quo.

Also, what Harmony hasn’t revealed (and may not even know yet) is whether there was a common reason for the compromise of the two private keys that led to the unauthorized transfers.

Finally, it makes no sense to have N-factor authentication with N > 1 if there is a common point of failure between all N factors.

For example, if you have laptops with hard drives protected by both boot-time passwords and unique code sequences generated by a cell phone, you effectively have 3FA, requiring an attacker to: own the laptop; know the password; and either be able to unlock the user’s phone or re-seed the code sequence.

But if you have a user who writes their password and authenticator seed code on a sticky label and sticks it on the bottom of their laptop, then you’re right back at 1FA: All security is owned by the laptop itself.

Don’t be that user!

And don’t let any of your friends or colleagues be that user either…


Share.

About Author

Comments are closed.