Humanity Protocol explained how attackers were able to steal over $36 million of its H token, and the cause was a serious error in the way it secured its keys.
In an incident update shared with CoinDesk, the decentralized identity project said the breach began when an employee’s laptop was compromised. The machine contained several keys that controlled the project’s token bridges, the tools that move H (and other tokens) between blockchains.
These bridges flowed through multi-signature wallets, which require a number of distinct keys to approve any changes. A multisignature wallet is supposed to distribute keys between different people and devices so that no single machine can move funds.
In this case, all keys were stored on a single device, meaning a compromise allowed the exploiter to pass the approval threshold on both chains, Humanity said.
The attacker obtained three of the six keys controlling the administrator account of the bridge on Ethereum, enough to seize controls linked to the deployment of the project on the network.
The attacker then transferred ownership to his own wallet, swapped the bridge code for a malicious version, and drained approximately 141 million H in a single transaction.
In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had set up a four-person multisig wallet (as they should have done).
Humanity suspects that “some keys were accidentally saved on a compromised device during installation,” Kwok said. “We use an approved custodian for the majority of token treasury, mpc for operations treasury, and for some contracts multisig keys have been set up in one place and then dispersed.
“Unfortunately, in this scenario, the keys were saved on a compromised device,” he said.
The attacker performed similar steps on BNB Chain with three of the five keys. This time, it is about installing code with an unlimited minting function, which allows you to create tokens at will, and mint around 200 million new H directly into their wallet.
Humanity has since removed the team page from its website. The project said it had halted deposits and withdrawals on affected bridges and was working with exchanges and police to recover the funds.
Last year, Humanity raised $20 million from Pantera Capital and Jump Crypto, at a valuation of $1.1 billion.
ZachXBT, a prominent on-chain investigator, said the key compromise and a separate series of suspicious market making in the token were unrelated.
It also raised questions about how the token traded in the weeks leading up to the breach, ahead of a large scheduled token unlock, as H token prices rose from 20 cents to 70 cents in two weeks.
The token has regained some of the lost ground. After falling to around 5 cents during the attack, it returned to around 20 cents, according to CoinGecko data. It remains well below the pre-breach level of 67 cents.
