Analysis of the HECO Bridge and HTX Exploit

5 min read

Learn how the HECO bridge and HTX were exploited, resulting in a loss of $99.3 million.

TL;DR#

On November 22, 2023, HTX (Huobi)'s hot wallets were compromised for roughly $12.5 million, and its HECO Chain's Ethereum Bridge suffered a loss of about $86.8 million, cumulatively amounting to a total loss of approximately $99.3 million in assets.

Introduction to HECO and HTX#

Huobi Global is a centralized international digital asset exchange.

The HECO bridge enables the movement of digital assets between the Huobi Eco Chain and other blockchain networks, such as Ethereum.

Vulnerability Assessment#

The root cause of the exploit is the compromised operator account.

Steps#

Step 1:

We attempt to analyze one of the attack transactions executed by the exploiter.

Step 2:

The exploiter was able to directly withdraw the funds through the privilege address, which can only be controlled by the operator. Therefore, the likely cause of the exploit is the compromise of the private keys of this operator account.

function withdrawNative(address payable to, uint value, string memory proof, bytes32 taskHash) public onlyOperator whenNotPaused positiveValue(value) returns (bool) {
  require(address(this).balance >= value, "not enough native token");
  require(taskHash == keccak256((abi.encodePacked(to, value, proof))), "taskHash is wrong");
  uint256 status = logic.supportTask(logic.WITHDRAWTASK(), taskHash, msg.sender, operatorRequireNum);

  if (status == logic.TASKPROCESSING()) {
    emit WithdrawingNative(to, value, proof);
  } else if (status == logic.TASKDONE()) {
    emit WithdrawingNative(to, value, proof);
    emit WithdrawDoneNative(to, value, proof);
    to.transfer(value);
    logic.removeTask(taskHash);
  }
  return true;
}

undefined

Step 3:

This hot wallet was also affected, causing a loss of assets worth 4.25 million KOK tokens and 2.19 million ARIX tokens.

Step 4:

Apparently, the hacker forgot to swap $1.15 million worth of ARIX tokens at this address.

Step 5:

This compromised operator account began withdrawing funds from the bridge to the attacker's address, and then the majority of these stolen assets were accumulated in this wallet.

Step 6:

The compromised HTX hot wallet addresses also transferred funds directly to multiple addresses of the attacker.

Step 7:

The stolen assets on the HECO bridge include $42.11 million worth of USDT, 489 HBTC worth approximately $19 million, 346 billion SHIB worth approximately $2.769 million, 173,200 UNI tokens worth approximately $879,856, 619,000 USDC, 42,399 LINK tokens worth $605,033, 10,145 ETH worth approximately $20.5 million, and 346,994 TUSD, which total approximately $86.8 million.

Step 8:

The following are the addresses of the hackers that are linked to the stolen funds:

0x6a40dfe3008bc3f99907e6dff4d041f933493411
0x640e567a5041c7108033dadb0b47a3f7aedd661b
0x945647f6225a44e35a0ea50f9fe2b4321794aa29
0x153d99836e197f92a8385ba80afbb57b69de2cc1
0x7abd8dda6cca1785af2f812b171b98d6924ff5d2
0xe47e6dA16Bb83EB0FD26b3F29b15CE8Fab089B9e
0x493BB5E2a551aE8FA22EfF0F964820712Ed77Dcb

Step 9:

At the time of this writing, this address controlled by the hacker has a hold of 30,949.44 ETH, which is worth approximately $63,635,641.

Step 10:

Given the sudden influx of funds, the HTX team proactively transferred all of the funds from some of their hot wallets to this Huobi Recovery address.

Aftermath#

Approximately two hours after the exploit, Justin Sun acknowledged the incident and confirmed the compromise of the HTX and Heco Cross-Chain Bridge. He assured that HTX would fully compensate for the losses of HTX hot wallet addresses. The deposits and withdrawals have been temporarily suspended.

This hack comes just 12 days after the incident at Poloniex, a cryptocurrency exchange also owned by Justin Sun, which suffered a loss of over $123 million worth of assets, likely due to the compromise of private keys. In late September, hackers targeted the hot wallet of Huobi Global's HTX exchange, resulting in a loss of 4,999 ETH worth approximately $8 million.

Therefore, HECO and HTX are the third and fourth incidents within three months on Sun-linked projects, totaling $233 million in losses, of which just $8 million has been recovered thus far.

Solution#

The recent exploit of Justin Sun's projects, including the HECO and HTX platforms, highlights an urgent need for an overhaul in their security protocols, emphasizing the importance of enhancing private key management, hot wallet security, and cross-chain bridge security. This necessity stems from the recurring security breaches, indicating a systemic issue in the current security culture. Addressing these vulnerabilities requires a coordinated approach that merges technological solutions with a shift in organizational mindset towards prioritizing security.

Firstly, the series of private key compromises points to significant flaws in their management and storage. Organizations can significantly enhance security by implementing multi-factor authentication and hardware security modules (HSMs), ensuring that private keys are never fully exposed and are protected against both physical and digital threats. Furthermore, adopting multi-signature wallets decentralizes control, reducing the risk of a single compromised key.

Regarding hot wallet security, these should only contain the minimal funds necessary for daily operations due to their vulnerability to online threats. Cold wallets are a preferable option for transferring most funds as they are less prone to hacking due to being offline storage options. Setting strict withdrawal limits and establishing systems to alert for unusual activities are also essential measures for early detection and prevention of unauthorized access.

The security of cross-chain bridges warrants special attention due to the complex nature and substantial funds involved. Regular and thorough security audits conducted by independent third-party firms are crucial. These audits should encompass smart contracts and the entire underlying infrastructure. Moreover, robust real-time monitoring systems to detect anomalies and potential threats are essential.

It's also crucial to recognize the complexities involved in managing cross-chain infrastructure. This aspect of blockchain technology is not a peripheral project but a central component requiring meticulous attention and a dedicated approach. Ensuring the security of these systems is vital, given the potential for exploitation of vulnerabilities across different blockchain networks. A comprehensive strategy, blending advanced technological safeguards with strict operational protocols, is imperative for robust defense against future cyber threats.

Even with stringent security measures in place, the recent exploit targeting Justin Sun's projects, including the HECO and HTX platforms, reveals the persistent risk of unforeseen vulnerabilities. This situation underscores the importance of implementing additional protective strategies. Services similar to Neptune Mutual could have been a pivotal asset in this scenario, offering a much-needed safety net. The establishment of a dedicated cover pool, prior to such incidents, would provide a crucial buffer, allowing users to recover from losses due to smart contract vulnerabilities. We don't provide coverage to losses stemming due to private key compromise, but we are open to making exceptions in many situations.

Involvement with a service similar to Neptune Mutual could have eased the challenges faced by the affected users in demonstrating their financial losses. With an efficient incident management system capable of quickly confirming and resolving such incidents, the progression to claim distributions would be expedited. This rapid response mechanism ensures prompt financial support for those adversely affected.

Our marketplace, operating across various blockchain networks like EthereumArbitrum, and the BNB chain, caters to a diverse range of DeFi users. A steadfast commitment to user safety is essential, especially following major security breaches. It not only aids in immediate damage control but also helps in rebuilding trust within the DeFi community, a factor that becomes critically important in the wake of security incidents like those experienced by HECO and HTX. 

Reference Source PeckShield

By

Tags