CoinClear

Harmony Horizon Bridge

0.9/10

Harmony's bridge hacked for $100M by North Korea's Lazarus Group through a 2-of-5 multisig compromise. The hack killed Harmony's DeFi ecosystem and stands as a defining bridge security failure.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

The Harmony Horizon Bridge was the critical infrastructure connecting Harmony's Layer 1 blockchain with Ethereum and BSC. Cross-chain bridges are essential for L1 ecosystems — they allow users to bring assets from Ethereum and other major chains into the L1's DeFi ecosystem. For Harmony, the Horizon Bridge was the lifeblood of its DeFi activity, handling hundreds of millions in bridged assets.

On June 23, 2022, an attacker compromised the Horizon Bridge and drained approximately $100 million in assets (ETH, USDC, USDT, WBTC, and other tokens) from the bridge's Ethereum-side contracts. The attack was later attributed to North Korea's Lazarus Group — the state-sponsored hacking organization responsible for multiple major crypto thefts including the $625 million Ronin Bridge hack.

The root cause was devastating in its simplicity: the Horizon Bridge used a 2-of-5 multisig to control the bridge's Ethereum-side funds. The attacker compromised 2 of the 5 private keys, meeting the threshold to authorize withdrawals. A 2-of-5 multisig for a bridge holding $100M+ is an unconscionably low security threshold — it means compromising just 2 keys (out of only 5 total) gives full control over all bridged assets.

The aftermath was catastrophic for Harmony. All bridged assets on Harmony became effectively worthless — the backing was stolen, so wrapped ETH, USDC, and other bridged tokens on Harmony had no underlying value. This destroyed Harmony's entire DeFi ecosystem overnight. Protocols that held bridged assets lost everything. Users who had bridged funds were left with worthless tokens.

Harmony's team proposed a recovery plan involving increased ONE token emissions to compensate victims, but the community rejected it due to the inflationary impact. The chain has never recovered. The Harmony ecosystem is a ghost of what it was, and the bridge hack is the primary reason.

Security

The Horizon Bridge's security was catastrophically inadequate. A 2-of-5 multisig is not an appropriate security model for a bridge holding any significant value, let alone $100 million. For context:

  • 2-of-5 means only 40% compromise is needed. An attacker only needs to compromise 2 out of 5 signers.
  • The key management was centralized. All 5 keys were controlled by the Harmony team, not distributed across independent entities.
  • No time delays. There were no timelocks or withdrawal delays that could have given the team time to detect and halt the attack.
  • No monitoring alerts. The exploit drained funds over multiple transactions without triggering effective automated alerts.

The Lazarus Group's attack method — likely phishing or social engineering to obtain private keys — exploited the human layer, not a smart contract vulnerability. This makes it even more damning: the bridge was not hacked through a clever technical exploit but through basic operational security failure.

After the hack, the FBI confirmed Lazarus Group attribution. The stolen funds were laundered through Tornado Cash and various chain-hopping techniques typical of North Korean crypto theft operations.

Technology

The Horizon Bridge's technical architecture was a standard lock-and-mint bridge: assets were locked in contracts on Ethereum/BSC, and wrapped versions were minted on Harmony. The technology was functional but unremarkable.

The critical technological failure was the multisig configuration — 2-of-5 with all keys controlled by one team. More sophisticated bridges use MPC (multi-party computation), validator-based attestation, or optimistic verification with challenge periods. Horizon used the simplest and least secure approach.

Decentralization

The Horizon Bridge was fully centralized. All 5 multisig keys were controlled by the Harmony team. There was no external validator set, no decentralized attestation, and no community oversight of bridge operations. The bridge was a centralized custodial service masquerading as blockchain infrastructure.

This centralization was the exploit's enabler. A decentralized validator set would have required compromising multiple independent parties across different security domains — a much harder attack than compromising 2 keys from a single team.

Adoption

Pre-hack, the Horizon Bridge was the primary entry point for Harmony's DeFi ecosystem, processing significant volume. Post-hack, the bridge is unusable and the Harmony ecosystem has collapsed. TVL on Harmony dropped from hundreds of millions to near zero. Most DeFi protocols on Harmony shut down or migrated to other chains. Adoption went from meaningful to zero overnight.

Tokenomics

The bridge itself had no token, but the hack devastated ONE (Harmony's native token) and all bridged assets on Harmony. ONE lost 60%+ of its remaining value following the hack. Bridged tokens (1ETH, 1USDC, etc.) became worthless as their backing was stolen. The proposed recovery emission plan was rejected, leaving victims with no compensation path.

Risk Factors

  • BRIDGE IS COMPROMISED AND NON-FUNCTIONAL. Do not use.
  • $100M stolen by Lazarus Group: State-sponsored hackers drained all bridged assets
  • Harmony ecosystem destroyed: The hack killed the chain's DeFi ecosystem
  • No victim compensation: Proposed recovery plan rejected; losses are permanent
  • Centralized security failure: 2-of-5 multisig with all keys from one team
  • Funds laundered: Stolen assets processed through Tornado Cash, recovery unlikely
  • Regulatory implications: OFAC sanctioned Lazarus Group; any recovered funds may be frozen

Conclusion

The Harmony Horizon Bridge hack is one of the most consequential security failures in crypto history — not because $100 million is the largest amount stolen (the Ronin hack was larger), but because it completely destroyed an entire blockchain ecosystem. The 0.9 score reflects a bridge that failed in every dimension: security was negligent (2-of-5 multisig), decentralization was nonexistent (all keys from one team), and the consequences were total (ecosystem destruction with no recovery). The Horizon hack is required reading for anyone involved in bridge design or security. The lesson is brutally simple: if you secure $100 million with 2 keys, you deserve to lose it. Unfortunately, it was the users who paid the price for the team's negligence.

Sources