Humanity Protocol's $36M Exploit: Multisig Keys Stored on Single Laptop

The breach

An employee's laptop was compromised, marking the start of the attack. The machine held several keys that controlled the project's token bridges. This created a critical vulnerability: instead of requiring multiple people to approve transactions, a single device compromise gave the attacker enough signing power to move funds.

On Ethereum, the attacker obtained three of six keys controlling the bridge's admin account. That was enough. The attacker then drained approximately 141 million H tokens in one transaction.

BNB Chain saw a different but equally damaging attack. The attacker executed similar steps with three of five keys and installed code with an unlimited mint function, minting approximately 200 million new H tokens. The total loss: more than $36 million.

How it happened

Humanity founder Terence Kwok said the team had set up a multisig wallet across four individuals. But something went wrong during setup. Humanity suspects that "some of the keys were accidentally backed up to a compromised device during setup," according to Kwok's statement.

This is a basic security failure for a startup backed by institutional investors. Humanity raised $20 million from Pantera Capital and Jump Crypto at a $1.1 billion valuation. Both firms are known for crypto infrastructure expertise.

Market impact and response

The H token's price tells part of the story. Prices shot up from 20 cents to 70 cents within two weeks before the breach. After falling as low as about 5 cents during the attack, it recovered to around 20 cents.

ZachXBT, a prominent onchain investigator, said the key compromise and a separate round of suspicious market-making in the token were not connected. The timing raised questions, but the two events appear separate.

The project said it has halted deposits and withdrawals on the affected bridges as it investigates and responds to the attack.