Horizon Bridge Hack and AAG Ventures: How Lossless Saved 78M of $AAG Tokens

3 min readJun 25, 2022

The newest of the hacks in the crypto space — Harmony’s Horizon Bridge hack — resulted in a loss of $100 million when a hacker exploited a vulnerability. We would like to offer details on this hack as well as information on how Lossless interfered and saved 78M of $AAG tokens — the first hack to be stopped by our Lossless protocol.

The stolen currencies are Frax (FRAX), Wrapped Ether (wETH), Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC) and USD Coin (USDC).

As it was already announced, one of the harmed tokens belongs to our partners — AAG Ventures. A total of 84,620,000 $AAG tokens were stolen through the Horizon Bridge. On June 23rd, starting at about 11:08 AM UTC until 11:26 AM UTC, transactions were made from the bridge for various tokens, one of them being for the $AAG cryptocurrency.

Until this was spotted the hacker was able to cash out around 6M of the stolen $AAG tokens leaving his wallet with the remaining 78M. On June 24th, at 5:35 AM UTC, the malicious transaction was reported as a hack on the Lossless protocol platform and the 78M $AAG tokens were effectively frozen for a period of 24 hours. You can see the report details here.

In the period of 24 hours the Decision-Making Body, comprised of the token owner, Lossless technical team, and the Security Committee, must conduct an investigation of the report and then cast a vote — on whether the hack is confirmed or not.

The Decision-Making Body concluded their investigation on the AAG Ventures hack much faster and on the same day, June 24th, at 3:17 PM UTC the stolen 78M of $AAG tokens were successfully retrieved.

Context of the situation by Lossless CMO — Monika

As our Ethereum configuration states, after the token owner proposes a refund wallet, it then undergoes a 3-day dispute period — the Decision-Making Body members can reject it and ask for a new one to be proposed. If such a thing does not happen, after the 3-day period the proposed wallet becomes confirmed and entitled to receive the refund.

At the moment of writing this article, the funds are retrieved and the proposed wallet is undergoing the dispute period. Once 3 days pass, AAG Ventures will be able to claim the retrieved tokens with Lossless fee already deducted from that automatically.

Our team is extremely proud to have been able to save our partner’s funds from being lost. We also were able to provide the crypto industry with solid proof of how our protocol is capable of hack prevention as it was designed to do. We hope that this will bring the spotlight to security in crypto and more projects will prioritize it sooner.

About Lossless

Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and the associated financial loss.

Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.

Twitter | Platform | Telegram | Discord | Website | Documentation | Github




World’s first unrivalled exploit identification and mitigation tools, designed to foolproof web3 from malicious activity.