One laptop: How poor security ruined Humanity Protocol
Humanity Protocol bills itself as “the internet’s trust layer,” but many have voiced concerns over its credibility in relation to yesterday’s H token compromise.
Following reports of suspicious transactions and worrying price movements, the project’s X account disclosed a “security incident involving the compromise of private keys belonging to a member of the Humanity Foundation.”
It warned users to avoid interacting “with the bridge or any liquidity pools.”
However, multiple members of the crypto security community have questioned both the mechanics and timing of yesterday’s incident, which led to the project’s H token crashing almost 90%.
Read more: Rough weekend for DeFi: Four hacks, three outages, one warning
An on-chain investigator who goes by “SpecterAnalyst” on X initially drew attention to suspicious transfers of H totaling $5 million.
The total extracted eventually reached $30 million, according to blockchain security auditor Peckshield. The firm tallied almost 190 million H tokens drained from over 280 affected wallets.
Additionally, two batches of 100 million H tokens were minted on BNB Chain.
A later official update put the total stolen at $36 million, insisting that “an employee’s laptop was compromised.” The compromise included 3-of-6 private keys for the project’s bridge contract owner, which upgraded the contract and “swept ~141.2M H in a single transaction.”
Concurrently, 3-of-5 keys for the project’s BNB Chain safe were also compromised, with a similar mechanism used to mint 200 million H tokens.
Raised eyebrows
Blockchain sleuth ZachXBT pushed back at Humanity’s initial statement, questioning why users should “blindly trust your story” after the “crime pump” of the H token.
The project’s H token recently pumped almost 400% in under five days in late May, fuelling suspicions over price manipulation.
In another post, he went further, calling the incident “possibly staged” as a “convenient” exit for the token’s market maker.
However, “after further analysis of the laundering,” he walked back the accusation.
Trading Strategy co-founder Mikko Ohtamaa pointed out the irony in “a protocol that ensures a blockchain address is a real human being and not a Sybil address,” using the same person for three multisig signer keys.
Read more: How Humanity Protocol CEO drove his previous firm to insolvency
Yearn developer Banteg also appeared shocked that attackers managed to compromise three private keys from the same foundation member.
They also spotted that, while keys were rotated for the team’s BNB Chain wallet, the Ethereum wallet remained compromised for at least 14 hours, making the idea of an inside job “plausible.”
Security firm Beosin questioned whether the hack was indeed a “rug pull” after identifying the contract upgrade which allowed transfers of H tokens directly from victims’ wallets.
Today’s incident comes just over two weeks in advance of the first unlock of 266.5 million vested tokens destined for the Humanity team and investors.
SpecterAnalyst, who initially flagged the wallet draining transactions, also seemed skeptical of the team’s version of events.
They had previously drawn attention to the project’s team, claiming that “three out of four leads have questionable pasts involving mismanagement, lawsuits, or financial wrongdoing,” and highlighted issues with the token’s distribution following its launch last June.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.