The Harmony bridge hack saga highlights crypto’s lack of recourse and the risks of composability.
Depending on how you count, there have been roughly 20 hacks worth over $100M which have hit crypto.
While the hacks attract attention and generate clicks in the short term, the financial mess they leave behind often fades from the news cycle before any resolution is reached.
The $100M Harmony Bridge hack, which happened just over 500 days ago in June 2022, is one example of an exploit that has faded from headlines, but whose story hasn’t actually ended.
Users’ efforts to recoup their assets on a Harmony deployment of Aave, a lending platform which holds over $5B worth of assets in total, tells a story of participants’ in DeFi’s resourcefulness, but also of the space’s pitfalls and inefficiencies.
A proposal to recoup roughly 20% of the assets locked in Aave on the Harmony blockchain is bringing a glimmer of hope to victims of the hack, but whether Aave and Harmony will back it is still undecided.
The amount users have lost isn’t large — roughly $1.2M — but the saga provides a warning to crypto users as another bull run is showing signs of returning that the further down the rabbit hole you go, the greater the risks.
Composability, what at one point was called “money legos,” means crypto protocols can easily plug into each other. It also means users should account for risks in not just the token they’re holding in a specific platform, but also for risks of all the connections used for it to get there.
A representative from Aave Companies did not immediately respond to The Defiant’s request for comment regarding the upcoming vote and whether AAVE voters bear some responsibility for the assets stuck on the Aave Harmony deployment.
Starting from the beginning — Harmony was one of the hot Layer 1 blockchains in June 2021. Its native ONE token had a market capitalization of nearly $800M, and it seemed like the market for smart contract platforms was big enough that every Layer 1 which launched would succeed.
At that point, Li Jiang, COO of Harmony, first posted on Aave forum, pushing for the lending platform to deploy on the blockchain he was building. After some debate and brigading from Harmony supporters, holders of the AAVE token voted in December to deploy Aave on the blockchain.
The market was destined to peak at that time — it turned out that the total crypto market capitalization had already topped out at just over $3T in November. And Harmony’s ONE token would post an absurd-sounding $4B market capitalization two months later in January 2022.
That’s not a huge sum — Aave had over $5B in total value locked at the time.
Bridge Hack and Aave Exploit
Then the hack happened. The exploit was controversial in itself as Harmony took serious heat for what many deemed subpar security practices.
For Aave’s deployment on Harmony, it meant that lenders of tokens that were native to the Harmony blockchain, primarily ONE and LINK, saw their assets had been indefinitely borrowed out as a result of the attack.
This was because the bridge hack meant that all assets which people bridged from Ethereum, the world’s most used Layer 1, became unbacked. Aave however, used a price feed which didn’t register that the assets on Aave weren’t backed.
This meant that opportunists swooped in and deposited bridged and unbacked assets like USDT and USDC and borrowed ONE and LINK tokens which weren’t directly affected by the bridge hack.
It’s not known what the opportunists did with the ONE and LINK, but the intuitive action would be to sell the tokens — with the collateral worth less than the debt there’s no reason to return the tokens to Aave’s lenders.
It wasn’t a huge amount of assets — opportunists quickly borrowed $398,000 of ONE tokens after the hack, with $1.2M worth of ONE borrowed in total, according to BGD Labs.
Loading Up on ONE
What followed was a strange and drawn out battle for accountability.
One user, a software engineer named Rémi, had been acquiring ONE tokens for two years leading up to the hack on Harmony. He told The Defiant he took time after work to develop trading strategies, take advantage of new product launches as well as Harmony’s $300M incentive program, in order to acquire around $200,000 of ONE tokens.
Rémi asked for The Defiant not to use his last name or employer to maintain his privacy.
It’s been well over a year and the engineer still doesn’t have his assets back, which to be fair, is the norm with hacks in crypto — people generally don’t get their money back.
But the story for Rémi, and others who deposited on Aave’s Harmony deployment, is a bit more complex than clicking a corrupted link and losing potentially years worth of income.
For one, the hack’s effect on ONE lenders on Aave was a secondary one — Rémi’s assets weren’t bridged, so they didn’t depeg. Immediately following the hack, Rémi thought he was safe. “I just considered [the hack] as bad news for the price of the coin,” he said. “I have no idea it would impact me so much to have all my ONE coins stuck.”
Instead, opportunists swooped in and borrowed all the available ONE and LINK tokens. Since there is close to nothing backing those assets, Aave was hit with bad debt, roughly $1.2M in total.
In a sense, the lesson is a simple one — risks are always present in DeFi. Brand name protocols like Aave, can still suffer attacks indirectly from less-secure bridges to other blockchains.
Lack of Say
There are also other takeaways — just because a person uses a decentralized protocol, doesn’t mean they have any say over its direction. In efforts to recoup their assets, users railed against their powerlessness in the face of Aave’s governance.
“Imagine your bank refusing to help you with [a] complaint because you don’t have enough money in the account,” said one user in a year-long discussion about the Harmony recovery on the Aave forum.
One key issue is that a minimum of 50 AAVE tokens, worth nearly $5,000, is needed to submit a vote, according to the Aave forum. “After losing so much you don’t want to invest $5000, or $6,000 to buy AAVE just to organize a vote,” Rémi said.
A community member did manage to submit a recovery proposal in March, but it was short on details and Aave governance shot it down with over 99% of AAVE tokens voting against.
The Aave team ended up freezing Harmony’s reserves, so roughly $3M in assets couldn’t be withdrawn, but that was more than three weeks after the hack.
Rémi thought this happened much too slowly.
“Borrowing got frozen a few days after, which [gave] time for hackers to exploit the protocol,” he said. “Lending itself got closed a month after.”
The engineer added that some unsuspecting users deposited assets during that month because they saw a high interest rate on Aave because so much ONE had been borrowed.
Overall, the parties involved struggled to define who was responsible for what in the hack’s wake.
Questions of Accountability
Ernesto Boada, co-founder at BGD Labs, a key service provider to Aave, told The Defiant it was difficult to coordinate with the Harmony team. “It really felt after the hack that Harmony was not really involved,” he said.
Other users’ struggled with similar issues — one user asked simply “who is ‘Harmony Team’ on this forum,” in a discussion on the blockchain’s forum. The user received no answer.
A document on the Harmony team’s website lists 20 team members, with Steven Tse, an alumnus of Google, Apple, and Microsoft, as in charge of “project vision.” Tse lists himself as Harmony’s founder on LinkedIn.
The Defiant has reported on struggles that validators, entities which support the Harmony network, have had with the Harmony team in the past.
To Boada, the issue of Aave’s Harmony deployment is fundamentally the responsibility of the bridge.
“At the end of the day, the hack is on [Harmony’s bridge],” he said.
BGD made changes to Aave after the hack — the service provider helped implement a system called “proof of reserves,” which aims to prevent the kind of mismatch between prices reported to Aave and the actual prices of a given asset.
Boada added that BGD has also started to analyze networks more thoroughly before endorsing Aave deployments there.
The BGD Labs co-founder said that he has been able to contact Recovery One, a team working with Harmony on recovery effort in the wake of the bridge hack, more easily than he could the Harmony team post-hack.
10 Cents on the Dollar
Matthew Barrett, from Recovery One, told The Defiant that he thought DeFi will emerge stronger from all the struggles to deal with the fallout of the Harmony bridge hack.
The story isn’t done — last week someone from Recovery One posted a proposal which would pay roughly ten cents on the dollar to users whose ONE tokens have been borrowed indefinitely. This would amount to about $50,000, at today’s ONE prices. Aave, the decentralized organization, would be on the hook for another 10%.
Barrett said that BGD Labs had proposed a solution somewhat inline with Recovery One’s a few months earlier. That a key service provider to Aave promoted a similar proposal makes the Recovery One team member think it’s possible that AAVE voters will throw their weight behind the new solution.
So far, people appear to be willing to take what they can get. “Any solution is better than no solution,” said ThunderingTias, a user who has been engaged on Aave’s forum since the 2022 hack.
While it’s unclear whether Aave governance will support the proposal, or even whether they should, the bigger question may be — as DeFi becomes more intertwined, how can the systems evolve so responsibility is more clearly defined but decentralization is maintained?
With the beginning stages of a bull market showing signs of emerging, it will be another test for DeFi whether it can navigate its complex integrations as euphoria threatens to cloud people’s judgement.