The Harmony layer-1 blockchain project team has offered a bounty equal to just 1% of the $100 million in crypto stolen from the Horizon Bridge hack last week.
Harmony tweeted on June 26 that the team had committed $1 million for the return of the funds that were stolen from the Horizon Bridge on June 23. It added, “Harmony will advocate for no criminal charges when funds are returned.”
We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.
Contact us at firstname.lastname@example.org or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.
Harmony will advocate for no criminal charges when funds are returned.
— Harmony (@harmonyprotocol) June 26, 2022
However, concerns have been raised that the modest bounty sum may not be enough to incentivize the attacker to return the funds.
The Horizon Bridge is a token bridge between the Harmony blockchain and the Ethereum network, Binance Chain, and Bitcoin. The Bitcoin bridge was not affected in this exploit.
Compared to other high-profile exploits this year, Harmony’s bounty offer ranks low. The $10 million offered to the Rari Fuse attacker in May was 12.5% of the total stolen. The Beanstalk Finance team offered $7.6 million which was 10% of the total exploited from the protocol in April.
Harmony’s bounty offer is so low that the crypto trader known on Twitter as Degen Spartan called it an “insulting amount.” He added, “imagine losing 100m and thinking you’re in a position to lowball for a 1% bounty lmwo these people are just doing performance art to mitigate legal liability.”
insulting amount, gfy https://t.co/TgZ0gDOC43
— 찌 G 跻 じ Goblin of the (@DegenSpartan) June 26, 2022
In an incident response update on the Horizon bridge hack on June 25, Harmony founder Stephen Tse tweeted that the hack was not the result of a smart contract code breach, instead, the team found evidence that private keys were compromised which led to the breach of the bridge.
1/ An incident response update on the Horizon bridge hack
Confidentiality is key to maintain integrity as part of this ongoing investigation. The omission of specific details is to protect sensitive data in the interest of our community.
— stephen tse s.one stse.eth (@stse) June 26, 2022
Tse said that the Ethereum side of the bridge had migrated “to a 4-5 multisig since the incident.” The vulnerability of the multisig wallet requiring just two out of five signers was brought up by a community member in April, but the issue was not addressed by the Harmony team until now.
A multisig wallet is a crypto wallet that requires multiple key holders to approve a transaction. These wallets are commonly used at crypto projects.
As of the time of writing, the Horizon Bridge hacker has not moved the stolen funds into Tornado Cash, an Ether (ETH) mixer, or any other anonymizer.
Related: How can crypto stop getting hacked?
Hope is not lost for Harmony, as its $1 million bounty is not the smallest proportional to the amount of funds lost. In 2021, the Poly Network interoperability platform was hacked for $610 million. The team’s bounty offer of $500,000 was 0.08% of the total stolen. The offer was rejected, but luckily the funds were returned anyway.