Heco Bridge Hack 2023-11-22

From Vulnerapedia
Jump to navigation Jump to search

Postmortem Analysis of Recent DeFi Exploit HECO Chain.

On November 22, 2023, a significant security breach affected Huobi Global’s HTX exchange and its HECO Chain’s Ethereum bridge, resulting in a combined loss of approximately $100 million in assets. This incident highlights the ongoing vulnerabilities in the DeFi ecosystem and the urgent need for enhanced security measures.

Root Cause: Operator Account Compromise

The root cause of the exploit lies in the compromise of the HECO bridge’s operator account. This account, which possesses privileged access to manage the bridge’s operations, was compromised by an attacker, enabling unauthorized access to critical functions.

The attacker’s main wallet received plenty of illicit funds.

Attack Execution

Leveraging the compromised operator account, the attacker executed transactions to drain funds from the HTX hot wallets and the HECO bridge. The attacker’s actions can be summarized as follows:

HTX Hot Wallet Depletion:

The attacker utilized the compromised operator account to directly withdraw assets from several HTX hot wallets, including 4.25 million KOK tokens, 2.19 million ARIX tokens, and a substantial amount of ARIX tokens that were inadvertently left behind.

Heco Bridge Exploitation

The attacker employed the compromised operator account to initiate unauthorized withdrawals from the HECO bridge, amassing stolen assets worth approximately $86.8 million. The stolen assets included USDT, HBTC, SHIB, UNI, USDC, LINK, ETH, and TUSD.

Asset Distribution

The attacker consolidated the stolen assets into several wallet addresses, indicating their control over the illicit funds.


Justin Sun acknowledged the incident and confirmed the HTX and HECO Cross-Chain Bridge compromise. HTX committed to fully compensating for the losses of hot wallet addresses, and all deposits and withdrawals were temporarily suspended.

The exploit resulted in a cumulative loss of approximately $99.3 million, split between the HTX hot wallets ($12.5 million) and the HECO bridge ($86.8 million). Upon detecting the breach, the HTX team promptly suspended deposits and withdrawals while initiating efforts to recover the stolen assets.

This occurrence comes after two additional security breaches in projects affiliated with Sun, all happening within three months. These incidents collectively led to a loss of $233 million, with only $8 million successfully recovered up to this point.

Security Recommendations

Hot Wallet Security:

  • Limit funds in hot wallets to the minimum required for daily operations.
  • Prefer cold wallets for storing most funds due to their offline nature.
  • Establish strict withdrawal limits and implement alert systems for unusual activities.

Cross-Chain Bridge Security:

  • Conduct regular security audits of cross-chain bridges by independent third parties. Implement robust real-time monitoring systems to detect and respond to potential threats.
  • Establish real-time monitoring systems to identify unusual transaction patterns promptly. Employ mechanisms that can swiftly secure funds or transfer them to designated accounts, similar to the functionality of a “recovery account.”

Organizational Mindset

  • Recognize the complexity of managing cross-chain infrastructure and allocate dedicated resources.
  • Ensure a comprehensive strategy blending technological safeguards with strict operational protocols.
  • Consider on-chain digital asset protection insurance services such as Nexus Mutual, Bridge Mutual, etc, to provide a safety net against unforeseen vulnerabilities. Establish dedicated cover pools to offer financial support to users affected by smart contract exploits.
  • Conduct regular security audits of cross-chain bridges by independent third parties. Implement robust real-time monitoring systems to detect and respond to potential threats. Recognize the complexities of cross-chain infrastructure and allocate dedicated resources to its security.


About Olympix

Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.