Humility Security Incident Update: $36 Million Stolen, Cooperating with Police Investigation and Fund Recovery Efforts

Odaily Odaily News, Humility Protocol released a security incident update on the X platform, stating that yesterday the H token suffered a coordinated attack on the Ethereum and BSC chains. It has been confirmed that over $36 million worth of assets were stolen and dumped.

Preliminary investigation indicates the incident originated from an employee's computer being compromised, leading to the leakage of private keys for the multi-signature wallet controlling the Hyperlane Bridge ProxyAdmin. Specifically, the attacker obtained 3 out of 6 private keys from the Gnosis Safe on the Ethereum chain, transferred ownership of the ProxyAdmin to a wallet under their control, and upgraded the bridge contract to a malicious implementation. Subsequently, they transferred approximately 141.2 million H tokens in a single transaction.

Simultaneously, the attacker also gained control of 3 out of 5 private keys from the Safe wallet on the BSC chain. Using the same method, they took over the ProxyAdmin and deployed a malicious contract with an unlimited minting function, minting 200 million H tokens to their own wallet in two separate transactions.

Humility stated that it has suspended all deposits and withdrawals on the affected bridge service and is collaborating with exchanges and other relevant partners to mitigate losses. At the same time, it is cooperating with the police investigation and attempting to recover part of the stolen funds.