On Tuesday, blockchain-based digital identity project Humanity Protocol gave an update on the recent bridge exploit that led to a loss of $36 million in user funds. According to the project, an employee’s laptop had got compromised, which resulted in the attackers taking control of the bridge and upgrading contracts without authorization.
One point of failure is all that matters
The project remarked that Monday’s attack impacted its native H token across both the Ethereum (ETH) and Binance Chain (BNB) networks.
The Humanity Protocol team stated that 3 of 6 Gnosis Safe owner keys got leaked, enabling the attackers to assume total control of the inter-blockchain bridges on the 2 networks.
For the uninitiated, Gnosis Safe owner keys are the private keys held by authorized signers who collectively control a multisignature wallet. Transactions or administrative actions can only be executed when a predefined number of these keys approve them, reducing the risk of a single point of failure.
After gaining control of the networks, the attackers changed Humanity Protocol’s bridge contracts into various malicious versions. On the Ethereum network, they stole close to 141.2 million H tokens.
Meanwhile, on Binance Chain, the attackers inserted a function on the smart contract that made it possible to mint unlimited tokens. Following this, they created close to 200 million tokens and withdrew them directly into their wallet.
The project’s founder, Terence Kwok, stated that it is likely that some of the keys were backed up in a compromised device. The incident is a reminder of how one single point of failure can render all blockchain security audits totally meaningless.
In their announcement, Humanity Protocol added that they had temporarily paused all withdrawals and deposits to the affected bridges, and is continually working with crypto exchanges to explore recovery options.
Blockchain experts weigh in on the exploit
Initially, blockchain sleuth and on-chain investigator, ZachXBT, raised suspicions that Humanity Protocol’s market maker and over-the-counter activity may have been connected to the protocol exploit.
Later, the analyst corrected himself, saying that the market-maker and over-the-counter activity was independent from the private key compromise.
In the same vein, Allium Labs research lead Elton Shehdula noted that instead of a single perpetrator, the exploit’s on-chain pattern shows the possibility of a carefully orchestrated operation.
Shehduda added that the wallets added their balance from an exchange and a crypto mixer several weeks before the exploit was carried out. He concluded that the sophisticated level at which the exploit occurred points toward either an “insider or outside actor” who had held the compromised keys for some time.
In similar news, DeFi protocol Echo was exploited on May 18, resulting in a loss of funds worth $77 million.
