Investigating the HECO bridge hack

The HECO cross-chain bridge was recently compromised, after an estimated $86.6M worth of crypto tokens were sent to suspicious addresses. HECO, which stands for HTX Eco Chain, is a cross-chain bridge that was created from the merger of the bridge ecosystems of Tron and BitTorrent.

This is the third time in recent months that a Web3 platform associated with Tron founder Justin Sun has been attacked. In late September, HTX, where Sun is serving as an advisor, suffered an $8M hack affecting the exchange's $ETH tokens. Earlier this month, Sun-owned Poloniex lost between $60M and $100M in crypto asset funds following an attack that compromised the exchange's $USDT, $USDC, $ELON, $SHIB, and $WBTC tokens, among others.

How did the HECO hack unfold?

On November 22, between 9:59 AM and 10:13 AM UTC, the HECO bridge contract (0xA929) sent 10,145 $ETH, 42.11M $USDT, 619,000 $USDC 346,000 $USDT, 42,000 $LINK, 346B $SHIB, and 173,000 $UNI to the hacker's address (0xFc14). The hacker then proceeded to distribute the hacked funds in the following manner:

1. 489 $HBTC and 1 $ETH to 0x541d, which swapped all $HBTC for 7.886 $ETH and sent the funds to 0x6A40.

2. 346B $SHIB and 1 $ETH to 0xacce, which swapped all $SHIB for 1,353 $ETH and sent the funds to 0x640e.

3. 173,000 $UNI and 1 $ETH to 0x5843, which swapped all $UNI for 456 $ETH and sent the funds to 0x9456.

4. 619,000 $USDC and 1 $ETH to 0x8538, which swapped all $USDC for 307 $ETH and sent the funds to 0x7aBd.

5. 42,000 $LINK and 1 $ETH to 0xf598, which swapped all $LINK for 307 $ETH and sent the funds to 0x493B.

6. 346,000 $TUSD and 1 $ETH to 0x9e1C, which swapped all $TUSD for 173 $ETH and sent the funds to 0x153D.

7. 42.11M $USDT and 1 $ETH to 0xd20e, which swapped all $USDT for 20,811 $ETH and sent the funds to 0xe47e.

8. 10,137.98 $ETH directly to 0xe473.

By the end of the attack, the hacker swapped all the stolen tokens into 41,426 $ETH ($83.9M), spread out across 7 addresses. Here's an illustration of the flow of funds affected by the HECO hack. The 0xScope team also created a HECO Bridge Hacker Entity Dashboard that tracks the addresses involved in the attack.

Conclusion

In our previous article discussing the HTX hack, we have pointed out the following facts and observations:

- During the third quarter of 2023, Web3 has seen a 153% increase in hacks compared to the same quarter last year, resulting in a loss of $685.5M in funds just for that quarter.

- When HTX was attacked, the company reached out to the hacker, offered a 5% "white hat" bonus, and threatened to expose its identity if 95% of the funds were not returned by October 2. The HTX hacker complied with the ultimatum by returning the funds on October 7 and saying that an HTX hot wallet's private key was leaked. HTX then sent the 250 $ETH reward to the address provided by the hacker.

- Offering bounties to hackers after attacks can be seen as a pragmatic solution to the problem of lost funds, but it will likely embolden hackers to continue what they are doing, while Web3 companies continue to be deficient in implementing adequate security measures to stop these hacks from happening in the first place.

In a recent statement, Justin Sun confirmed the HECO hack and the resulting loss of funds on HTX's hot wallet. He also said that an investigation into the HECO hack is underway. While the Tron founder has not yet offered a bounty reward in connection to the recent hack, recent history has shown that Justin had previously sent "white hat" rewards to resolve hacking issues. Just recently, Poloniex claimed that it had identified the exchange's hacker and then proceeded to increase its bounty offer to $10M in exchange for the return of the funds.

Given that three of Justin Sun-affiliated Web3 platforms all suffered hacks over the past three months, the bounty option may have ended up incentivizing the hackers to continue attacking. The recent hacks further highlight the value of implementing adequate security measures for any Web3 platform, as well as the importance of using crypto tracking solutions such as 0xScope and Scopescan in detecting suspicious behavior and investigating attacks.

This story is developing, the 0xScope team will add more details when they come.

‍