Another day, another D-Fi (decentralized money) attack.
This time, ether cryptocurrencies worth more than $ 80,000,000 have been looted from online smart contract company Harmony, which presents itself as an “open and fast blockchain”.
Surprisingly (or surprisingly, depending on your point of view), if you go Harmony’s websiteYou will probably be completely unaware of the massive damage that the business has just suffered.
Even the official blog of the business, linked from the website, does not mention it.
The most recent blog article is the very start date of 2022, and it is entitled Lost Fund Investigation Report.
Unfortunately, Those Lost funds are not These Funds lost.
Apparently, at the beginning of the year, Those Funds were lost when more than 19 million of Harmony’s One Token were snatched, costing about 25 US cents each.
Harmony made an offer on 04 January 2022, stating that:
We would like to give the suspect the opportunity to contact the Harmony Foundation and return all funds. Harmony will not take further legal action or damage your identity until we have your full cooperation. The team will make a donation to reveal how the theft was committed until it can be verified.
We’re not sure if it’s legitimate for a company to offer to rewrite history by pretending that an unauthorized and possibly illegal hack was actually legitimate research, even though it seems to work in the case of the infamous $ 600 million hack on the poly network.
In that case the perpetrator shook the curious pseudo-political blockchain declaration, all caps written in artificially poor English, claiming that money was not the motive behind the crime.
In the end, after favoring the cracker by adopting a nickname Mr. White HatThe Poly Network (to the surprise of many, including our own) has gotten most of their funds back.
We are also not sure how much restraint from the prosecution can be provided by the proposal not to “press charge” from the victim, because in many countries, it is the state that usually decides to investigate, charge and prosecute suspects. Crime.
Some countries, such as England, give private individuals (including professional organizations or charities) the right to conduct a private case if the state does not want to do so, but they do not give victims of crime a “corollary right”. If the state wants to do that, stop suing.
Nonetheless, the unexpected success of the Poly Network in recovering more than half a billion dollars has encouraged other cryptocurrency businesses to try this “slate clean” approach, probably because they often can’t do anything else.
But it doesn’t seem to work terribly often.
It certainly doesn’t look like it will work for Harmony in January 2022, although offenders are still not able to cash in on their earned profits, they may regret not accepting the offer.
By January 15, 2022, when Harmony’s fake “Bug Bounty Offer” expired, a token was at the top of 0.35, but has been declining ever since. 2.5 cents Each, according to CoinGecko.
Once again towards the knot-to-break
This did not stop Harmony from trying the bug-bounty-based historical revisionist approach again, contacting hackers in June 2022 via the ether blockchain:
The Harmony team is interested in communicating and negotiating. Please reach out at [email protected] to start a conversation. Communication can be anonymous. ID: 0xc8f0dbe83ef36ab59c1fd57099d5ed98c65ff71d0cc69d0084ca570ee26141bb
Since then, many other chancellors, jokers and cryptocurrencies have moved on to blockchain …
Technology is the primary productive force, amazing, great god, I hope you can give me some tokens, I wish you good luck and get away perfectly ID: x337edbfeb3c6aba36b02e90015be51f0057995eebbe6d8d1f26205ed8449d19c 1 for bless you 6 for stress you ID: 0x08b7f4914dab2170cdc2ed2cc9760c8478bb3652670cb2fe16f5302c3ad98701 Hello, I think your skills are very good and I admire you very much. I heard that you are being investigated. I wish you good luck. Also, can you send me a little eth if you can? I am a poor man with a family to support and my children are still young, thank you so much, God bless you ID: 0x505e8914fd0e926e53ef85ba78b7a4e73db564f36fa62a3585383f7cd33be2c8 大哥,给我发1个eth,我感谢你呀,大佬呀,你试大佬啊,你真的是大佬 (Bro, send me 1 eth. I thank you, bro. You really are my bro!) ID: 0x14ced8b1ec700ce93413e3e537c75beffd7846a68bbda53cabb5cf641296a02e I love you, will you have e-sex with me? ID: 0x77dfa12c1d21d7385764d48a72c075c12a1ccd843457e4e364e2a7249fbe9cff
If you think that hackers or hackers seem to have created with at least the following funds, with US $ values calculated based on ETH1 = US 1100 (rate at the time of writing) [2022-06-27T17:50Z] Actually $ 1100 to around $ 1200):
ETH total IN Approx value Transaction ID -------------- -------------- ------------------------------------------------------------------ ETH 4,570.000 $5,027,000.00 0xb4d60d5161b8508098d9c21834377eaded6b8668d205dfe4bfa7b6dd30f7a192 ETH 3,899.000 $4,288,900.00 0x9cdf447483508d632c5531c5dac8ed31486c0f054c0004bc80a9e07521b3d506 ETH 7,077.000 $7,784,700.00 0xb1d78f2eeea53f1624eea3020409d47c55c868ecf3e0f896e672d04f23fac007 ETH 9,850.000 $10,835,000.00 0x9eced2a4fbc3d95a8ea1a10dd4215b6bf7cbc633d06405e9f052a35f11c59f69 ETH 4,439.000 $4,882,900.00 0x4cceded4cce367631ab6cc11288bd0840d9f9a537b982e1b903205f274fc38a4 ETH 4,431.000 $4,874,100.00 0x9cd567022752e35be9bb429e030a28efad63bcd86ffb3c48ac661c5f966e7aab ETH 7,990.000 $8,789,000.00 0xdd37bafa2b0941df21e5c5f97558462b394a6013f756954700060ccd354f7eb2 ETH 5,380.000 $5,918,000.00 0xc8382891f4c60c86e5485816a3d79dc5a96b77ad1538b3eb1ee747f7cc18bc46 ETH 14,190.000 $15,609,000.00 0x8447ae8f9367d2f9217355065f620c4e099bfe0ecb4db0e94eb2b32246c859c7 ETH 4,965.000 $5,461,500.00 0x6650ff5c97a026258a25f9e8b15f77f68f34f6f9d5fd39b28bcce316f3b8ef87 ETH 4,919.000 $5,410,900.00 0x02a9727da800d2bb2000f346b28e925d3fffcd88f4ec2e5c0df6753dc8873139 ETH 43.394 $47,733.49 0x3eb9dd782d1c80b292c068ad657f444cba842e6757d1f3b4190c79d7651164b2 ETH 911.000 $1,002,100.00 0x134baf1e5da1ad9f2c99cad48149ac629fdf51cb44a14370756dc02c06510b99 ETH 75.000 $82,500.00 0x62a0a9f6a3ce55f7af494a0e8735a2ba00c5f30cc7b662b899db91099a3dfe60 ETH 30.000 $33,000.00 0x31b5e79ea63ffe4cc00521ec5d2224953ee0ce0cc7cf2284063c02dd494d1e15 -------------- -------------- ETH 72,769.394 $80,046,333.49
Earlier today, despite Harmony Proposal A 1,000,000 “grant” and saying it would “support any criminal charges” …
We pledge দিতে 1M bounty to return Horizon Bridge funds and share exploitation information.
Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will support any criminal charges if the funds are returned.
– Harmony 💙 (monyharmonyprotocol) June 26, 2022
The hacker appears to have paid a significant portion of the above ETH72,769 to an account that does not appear to be connected to Harmony, or at least not claimed by Harmony:
ETH total OUT Approx value Transaction ID -------------- -------------- ------------------------------------------------------------------ ETH 18,036.300 $19,839,930.00 0x2f259dec682ccd6517c09b771d6edb439f1925e87b562a72649a708fdd0511e1
At least one seemingly panicked customer arrived more desperately and eloquently than the other commenters:
BISH! DIDN'T YO MAMA TEACH YOU NO MANNERS? WHAT THIS SENDING 7m ONLY. JUST SEND US SOMETHING LET US KNOW YOU TAKING THE RIGHTEOUS PATH. OHH I SEE SO NOW YOU HAVE 97m IN ETHER AND JUST TAKING OFF A LITTLE OF THAT CREAM. OKAY BISH LOOKING GOOD YOU RETURN THAT 97M AND HARMONY CREW GOTS TO RESPECT THAT, 3 A MAGIC NUMBER AND ALL THAT SHI. I AIN'T SLEPT FOR DAYS, GIVE US A SIGNAL BISH, ANYTHING!!!! ID: 0x3db5cd2270c27808d282a3efccd33342da69312ba07561e2a11a6f1716b0b259
What happened?
Harmony’s Writing So far it is suggested that the attacker or attackers dragged this loot even though fraudulent transactions require multiple signatures by splitting their personal key with each signer into two storage locations, one on a local and one on a keyserver.
Unfortunately, it appears that although the “multisig” process required the co-signing of two of the five trusted parties, the attackers were able to compromise two of the five private keys required.
Clearly, Harmony has now decided to co-sign four of the five trusted parties, although you could argue that two of the five have already demonstrated their infidelity, which is tantamount to restoring the status quo of the “two trusted parties”.
Also, what Harmony has not disclosed (and still does not know) is whether there was a common cause of compromise between the two private keys that led to the unauthorized transfer.
After all, N-factor authentication makes no sense where N> 1 if all N factors have a common point of failure.
For example, if you have a laptop with a hard disk that is protected by a boot-time password and a one-time code sequence generated by a mobile phone, you effectively have 3FA, which requires an attacker to: grab the laptop; Know the password; And be able to either unlock the user’s phone or retrieve seeds for code sequences.
But if you have users who write their passwords and their authentication seed code on a sticky label and paste it under their laptops, you’ll go straight back to 1FA: all security is in the hands of the laptop.
Don’t be that user!
And don’t let any of your friends or colleagues be that user, either …