tl;dr Summary: Popular lending protocol Aave has decided to freeze its reserves on the Harmony blockchain after a hacker stole $100 million in crypto assets from its Horizon bridge.
Harmony, a layer-1 blockchain that runs on Effective Proof of Stake (EPoS), known for its cross-chain finance model, suffered an attack on June 23, 2022, that resulted in a theft of crypto assets worth over $100 million.
According to their blog post, the attacker got hold of several private keys and used them to sign transactions to move assets in the form of BUSB, USDC, ETH, and WBTC, which were later swapped to ETH using decentralized exchanges (DEXs).
Although not directly impacted by the attack, Aave, a lending and borrowing platform, reached out to its community to discuss and decide its potential impact and aspects.
The lending platform houses pools of assets on the Harmony chain at a specific price determined by Chainlink Oracle feeds.
Since the attack was on the Ethereum side of the bridge, it resulted in a mismatch in the asset’s price on the Harmony side.
This price mismatch presented players with a permanent arbitrage opportunity since they believed the lost assets would not be restored to the mainnet. The team monitoring Aave found that some accounts executed such an arbitrage by depositing 1 USDC, a bridged-exploited asset whose price is now less than before, as collateral to borrow another asset like the ONE token or LINK.
According to the Aave governance post, the “real” price of the assets attacked is close to 0, and it is not known at the moment whether this situation is permanent. And since the oracle price feeds have not yet reflected this actual price, the moment this happens, all positions will be instantaneously liquidated.
In light of this situation, the Aave DAO Community, through a governance forum, decided to freeze its reserves and stop deposits and borrowing on all assets of the pool while still allowing repayment of debt, liquidations, withdrawals, and changes to the interest rates.
If funds return to the bridge either by the attacker or the Harmony network covering the loss, things will return to normalcy.
The AIP (Aave Improvement Proposal) also states that this step is the first of many that it would take to protect its users.
Other potential steps that the community could take include:
1) Minimize the interest rates for the affected assets. It appears that ONE and LINK are the two most borrowed tokens due to the arbitrage opportunity reflected in their APY percentages.
The community could vote on reducing the interest rates until the situation normalizes.
2) Possibility of extending a $700 million risk mitigation pool called the Safety Module to protect users in V3.
3) Possibility of integration with Chainlink’s Proof-of-Reserve for bridged assets. Chainlink’s Proof-of-Reserve is a mechanism allowing autonomous monitoring of assets between chains. In this case, with PoR, a price mismatch would have automatically triggered an action to stop all borrowings in real-time.
As Aave continues to monitor the situation, DeFi again becomes center stage for the wrong reasons. The Harmony bridge attack follows several high-profile blockchain bridge attacks, including the Wormhole attack, in which users lost $325 million to attackers, and the Ronin network hack, which resulted in a massive $600 million loss in user funds.
As bridges continue to be the weakest link in this multi-chain universe, it would appear that having a more robust private key protection mechanism in place would be the easiest to implement. Yet, DeFi protocols, especially bridges, have not learned this lesson.
