Odaily Planet Daily report: Humility Protocol has issued a security incident update on X, stating that yesterday, the H token suffered a coordinated attack on the Ethereum and BSC chains, with over $36 million in assets confirmed stolen and sold.
Preliminary investigations indicate that the incident originated from a compromised employee computer, leading to the exposure of private keys for the multisignature wallet controlling the Hyperlane Bridge ProxyAdmin. The attacker obtained the private keys of three out of six owners of the Gnosis Safe on Ethereum, transferred ownership of the ProxyAdmin to a wallet under their control, upgraded the bridge contract to a malicious implementation, and subsequently transferred approximately 141.2 million H tokens in a single transaction.
Meanwhile, the attacker also gained control of three out of five private keys associated with the Safe wallet on the BSC chain, took over the ProxyAdmin in the same manner, and deployed a malicious contract with infinite minting capabilities, minting 200 million H tokens to their own wallet in two transactions.
Humility stated that all deposit and withdrawal operations for the affected bridge service have been suspended, and it is collaborating with exchanges and other relevant partners to minimize losses, while cooperating with law enforcement on the investigation and attempting to recover some of the stolen funds.