Humility Protocol Loses $36M After Bridge ProxyAdmin Compromise

Humility Protocol said on X that its H token on Ethereum and BSC was hit by a coordinated attack, with more than $36 million in assets confirmed stolen and sold. The team's initial findings point to an employee computer being compromised, which exposed private keys tied to the multisignature wallet overseeing the Hyperlane Bridge ProxyAdmin. On Ethereum, the attackers obtained three of six signer keys for the Gnosis Safe, seized ownership of the ProxyAdmin, upgraded the bridge to a malicious implementation, and moved about 141.2 million H tokens in a single transaction. On BSC, the attackers similarly accessed three of five signer keys for the Safe wallet, took control of the ProxyAdmin, and deployed a malicious contract with unlimited minting functionality. They then minted 200 million H tokens across two transactions to a wallet they controlled. Humility has paused deposits and withdrawals for the impacted bridge services and said it is working with exchanges and partners to limit losses. The team is also cooperating with law enforcement and attempting to recover部分 of the stolen funds.