Key facts
- Humanity Protocol experienced a bridge exploit resulting in the loss of over $36 million in H tokens.
- The attack occurred on both Ethereum and BNB Chain.
- Compromised multisig keys, potentially backed up to a compromised device, allowed attackers to seize control.
- Attackers replaced bridge contracts and minted new tokens on BNB Chain.
- Humanity Protocol has halted bridge operations and is investigating recovery options.
Humanity Protocol has reported a significant bridge exploit that resulted in the loss of over $36 million in its native H token across the Ethereum and BNB Chain networks. The incident, which occurred on Monday, was attributed to the compromise of multisignature (multisig) keys, potentially due to accidental backup on a compromised device during the setup phase.
According to the protocol's update, attackers gained control of three out of six Gnosis Safe owner keys. This allowed them to seize administrative control of the bridge on both blockchains. Once in control, the attackers deployed malicious versions of the bridge contracts. On Ethereum, approximately 141.2 million H tokens were drained. On the BNB Chain, the attackers exploited a function to mint an additional 200 million H tokens directly into their wallets.
Humanity founder Terence Kwok explained that while the project uses a licensed custodian for its main treasury and MPC for operations, some multisig keys for specific contracts were set up and dispersed, with some ending up on a compromised device. This highlights the risk of concentrated authority behind a small number of keys, even with distributed setups.
In response to the exploit, Humanity Protocol halted deposits and withdrawals to the affected bridges and is collaborating with exchanges and other parties to mitigate damage and explore recovery options. The H token experienced a sharp decline of over 85% following the disclosure of the private key compromise. Kwok advised users to avoid interacting with the bridge or liquidity pools.
Blockchain investigators have been scrutinizing the on-chain activity. While initial questions were raised about potential links to unusual market maker or over-the-counter (OTC) activity before an upcoming token unlock, further analysis by ZachXBT suggested these activities were independent of the key compromise. Security experts noted that distinguishing between a genuine compromise and a staged event can be challenging initially, as both involve legitimate admin rights. However, indicators like speed, improvisation, fund routing, and timing relative to unlocks can provide clues. Allium Labs research suggested the exploit's pattern, including advance wallet funding and simultaneous attacks on two chains, pointed towards a planned and coordinated operation, potentially involving an insider or an external actor who had long-held access to the compromised key.