What can we learn from the Harmony bridge hack?



A few months ago, Vitalik Butterin argued in a public post that the future of the crypto space will be multi-chain rather than cross-chain, citing reasons including the security of bridges. Like many of his posts, the wider community ignored it. Back then, dApps were busy flexing APYs and APY addicts ignored the posts because they had too many words - who had time to read!


The hack of Harmony One bridge is not the first and it will not be the last. As a DeFi user living through bear market conditions, we can take our time now to expand your knowledge of the space we participate in.


Don’t expect projects to allocate resources to educate about the risk implied in using EVM-forked dApps because they almost dedicate their resources to shill APYs. Don’t defer your opinion to people you follow on Twitter because almost all of them are either naively biased or unapologetically mercenary.


A question:


If you bridge 10 USDC onto the Harmony One EVM, and the bridge is hacked, what happens to your 10 USDC? The answer is simple, you lose them on Ethereum forever.


A forked dApp on an EVM not only inherits the risk of the EVM it operates on but also the bridges that users use to transfer assets.


Hack TL;DR

  • The Harmony bridge was hacked, causing DAI, USDC, USDT, AAVE and other locked assets on Ethereum to be drained completely.

  • The above bridged asset becomes unbacked, meaning your 10 USDC on harmony is backed by nothing on Ethereum.

  • The hack impacts the entire Harmony EVM chain and its dApps.

  • Assets like LINK and ONE were not exploited, meaning if you had 10 LINK, you could still bridge them back to Ethereum for 10 LINK .


What happened to Aave V3 on Harmony?

The first problem the protocol has faced is pricing the hacked assets. Inexplicably, they still priced 1 USDC as $1. In reality 1 USDC on Harmony equals ~ $0 because there is not any USDC backing it on Ethereum.


That opened the door for Aave V3 on Harmony to become insolvent. Here is how:


  • Users would buy hacked assets at “real” prices that were closer to zero, then deposit them as collateral priced at an inflated price since Aave didn’t update prices to reflect the hack, and then borrow unaffected assets like LINK and ONE. Users then would send LINK/ONE back to Ethereum and cash it out.

  • Depositors of USDC and other hacked assets knew that there is little chance their deposits will restore its value (restoring value means Harmony needs to inject $100M or restore stolen funds), so they borrowed LINK and ONE as a safe refuge.

  • Aave could not change the price of hacked assets to reflect real prices because that would have meant instant liquidations of many loans; in fact, even if they did that, liquidators would not have liquidated undercollateralized loans that are backed by the hacked assets because they would not have been able to liquidate assets of zero value.


The situation has created a potential collapse of the entire protocol on Harmony One given the shared-pool design where a few worthless assets are used as collateral to borrow all unaffected assets in the entire protocol such as LINK, ONE, and others.


Moral of the story

  • Yes, isolated markets could have prevented this issue. Only markets of hacked assets would become insolvent.

  • Forked projects are prone to two risks: the chain it operates on and the bridges that users use to transfer assets two.

  • As users we are not qualified to assess the risk of bridges.

  • Try to hold native assets rather than bridged one.

  • Use L2s instead. Transferring assets between Ethereum and L2 are perfectly safe.

  • Lastly, just because a project can be on 10 EVMs, it doesn’t mean they should do it. Most of the time teams fork onto new chains for short-lived reasons mostly related to token price.

15 views0 comments