Cybersecurity Breach: Humility Confirms $36 Million Loss in Coordinated Cross-Chain Attack

Incident Overview: A Coordinated Cross-Chain Exploit

The decentralized project Humility recently fell victim to a sophisticated, coordinated attack targeting its native H token on both the Ethereum and Binance Smart Chain (BSC) networks. According to an official statement released by the team, the incident occurred on the evening of June 8 (Beijing Time), with attackers ultimately stealing and dumping assets valued at over $36 million.

Deep Dive into the Attack Vector

Preliminary technical investigations point to a compromised employee computer as the root cause. This breach led directly to the exposure of private keys for the multi-signature wallet controlling the ProxyAdmin of the core cross-chain bridge infrastructure, Hyperlane Bridge.

On Ethereum, the attackers obtained 3 out of 6 private keys for a Gnosis Safe wallet. Using these keys, they swiftly transferred ownership of the ProxyAdmin to an address under their control and upgraded the bridge contract to a malicious implementation. In a single transaction, approximately 141.2 million H tokens were drained.

Concurrently on BSC, the attackers employed a nearly identical method, gaining control of 3 out of 5 private keys for a Safe wallet to take over the chain's ProxyAdmin. More critically, they deployed a malicious contract with unlimited minting functionality, minting a total of 200 million H tokens to their own wallet in two batches before dumping them on the market.

Emergency Response and Next Steps

Following the incident, the Humility team activated its emergency response protocol:

• Immediate Service Halt: All deposit and withdrawal functions for the affected bridge have been suspended to prevent further losses.
• Multi-Party Collaboration: The team is working closely with major centralized exchanges and security firms to trace fund movements and attempt asset freezes.
• Law Enforcement Engagement: The matter has been reported to law enforcement agencies, with the team fully cooperating in the investigation to recover stolen funds.
• Security Architecture Review: A comprehensive audit and upgrade of the project's entire security architecture and internal operational procedures has been promised.

This event serves as another stark reminder to the Web3 industry of the critical importance of private key management and internal operational security, which are as vital as the security of smart contract code itself in decentralized governance models.