According to Humanity Protocol, the breach of an employee’s laptop allowed attackers to take control of the bridge, improve contracts and steal over $36 million in H tokens.
In an incident update on Tuesday, minutes he said Monday’s attack affected the H token on the Ethereum and BNB networks. The team found that three of the six Gnosis Protected owner keys were compromised, allowing attackers to take control of bridge administration on both networks.
Humanity claims that after taking control, the attackers changed the bridging contracts to various malicious versions. On Ethereum, they have exhausted approximately 141.2 million tokens. At BSC, they added a feature to create an unlimited number of tokens and then minted 200 million tokens directly into their own wallet.
Humanity founder Terence Kwok told Cointelegraph that the project had multi-signature control spread across four people, but some keys could have been exposed during setup.
“We believe that some keys were accidentally backed up on the compromised device,” Kwok told Cointelegraph.
He said Humanity uses a “licensed custodian for the majority of its token vault” and MPC for its operations vault, but “for some contracts, multisig keys were configured in one place and then distributed,” leaving some keys stored on the compromised device.
The incident shows how a compromised endpoint can become a protocol-level crisis when various privileges cluster behind a diminutive number of keys. Humanity said it has suspended deposits and withdrawals on the affected bridges and is working with exchanges and affiliates to minimize damage and explore recovery options.
The value of the Humanity Protocol’s H token dropped by more than 85% after the private key compromise project was exposed. At the time, Kwok warned users not to interact with the bridge or liquidity pools.
Source: Humanity Protocol
Security companies study exploit patterns
The case has been investigated by blockchain investigators as to whether the attack was purely an external compromise or whether it was related to unusual token activity ahead of the upcoming unlock, as claimed by some community members pointed outside.
Initially, Blockchain researcher ZachXBT questioned whether market maker Humanity and over-the-counter (OTC) activity were linked to the exploit. However, he later he said that upon further analysis, market maker and OTC activities were found to be independent of the private key compromise.
Related: ZEC Drops 30% as Shielded Labs Reveals More About Infinite False Bugs
Hakan Unal, senior manager of security operations at Cyvers, told Cointelegraph that the onchain pattern may initially look similar whether the incident is a real compromise or a staged event, because in both cases the attacker has legitimate administrator privileges.
“What sets them apart is the setting,” Unal said. “True compromise tends to be characterized by speed and improvisation: funds moving to new wallets, swaps at bad prices, using a mixer, and lack of timing for sensitive information.”
In turn, Unal said a staged incident could indicate suspicious unlocking or vesting timing, concentrated supply, arranged movement or inflows that ultimately lead back to team-affiliated addresses or market makers.
“At the moment the evidence is mixed and therefore the question is open,” he added.
The researcher suspects that the Humanity incident was coordinated
Meanwhile, Allium Labs’ research director is Elton Shehdula he said The onchain exploit pattern pointed to a potentially planned and coordinated operation rather than a lone opportunist.
Portfolio financing and schedule. Source: Allium Laboratories
Shehdula said the wallets were funded by the exchange and mixer weeks in advance, mint authorities “warmed up” days before the attack, and the ejection took place on two chains simultaneously.
He said the level of configuration and access was consistent with the expectations of an “insider or outsider” who had quietly held the compromised key for some time.
Warehouse: Vietnam is preparing a cryptographic pilot, HK is pushing tokenization: Asia Express
