Humanity Protocol explained how attackers were able to steal over $36 million worth of its H token, and the cause was a serious error in the way it secured its keys.
In an update on the incident shared with CoinDesk, the decentralized identity project said the breach began when an employee’s laptop was compromised. The machine contained several keys that controlled the project’s token bridges, the tools that move H (and other tokens) between blockchains.
Those bridges passed through multi-signature wallets, which require a number of separate keys to approve any changes. A multi-signature wallet is supposed to distribute keys between different people and devices so that no machine can move funds.
In this case, all keys were stored on a single device, meaning that a compromise allowed the exploiter to cross the approval threshold on both chains, Humanity said.
The attacker obtained three of the six keys that control the bridge’s administrator account on Ethereum, enough to take control of the controls linked to the deployment of the project on the network.
The attacker then transferred ownership to his own wallet, changed the bridge code to a malicious version, and withdrew around H141 million in one transaction.
In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had set up a four-person multi-signature wallet (as they should have).
Humanity suspects that “some of the keys were accidentally backed up to a compromised device during setup,” Kwok said. “We use a licensed custodian for the majority of the token treasury, mpc for the trading treasury, and for certain contracts, multi-signature keys were set up in one place and then dispersed.
“Unfortunately, in this scenario, the keys were backed up on a compromised device,” he said.
The attacker executed similar steps on BNB Chain with three out of five keys. This time, he installed a code with an unlimited minting feature, which allowed the creation of tokens at will, and minted around 200 million new H directly into his wallet.
Mankind has since removed the team page from its website. The project said it has stopped deposits and withdrawals on the affected bridges and is working with exchanges and police to recover the funds.
Mankind raised $20 million from Pantera Capital and Jump Crypto last year at a valuation of $1.1 billion.
ZachXBT, a prominent on-chain researcher, said the key compromise and a separate round of suspicious market making in the token were not connected.
It also raised questions about how the token was traded in the weeks leading up to the breach, ahead of a major scheduled unlock of the token, as H token prices skyrocketed from 20 cents to 70 cents in two weeks.
The token has recovered some of the lost ground. After falling as low as about 5 cents during the attack, it recovered to around 20 cents, according to data from CoinGecko. It remains well below the pre-breach level of 67 cents.
