Ronin Network, an Ethereum-based sidechain created by Axie Infinity developer Sky Mavis to support its popular non-fungible token-based game, was exploited by an unknown hacker (or a group) and lost roughly $615 million worth of crypto today.
“The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC. The Ronin bridge and Katana Dex have been halted,” Ronin Network revealed on Twitter today, adding:
“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure that all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.”
There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP
— Ronin (@Ronin_Network) March 29, 2022
According to the network’s community alert, its Ronin bridge, a blockchain interoperability protocol that allows users to transfer their assets between the Ronin chain and the Ethereum mainnet, has been exploited for 173,600 Ethereum (currently worth just over $588 million) and $25.5 million worth of USDC stablecoins.
“Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised,” Sky Mavis revealed. “The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.”
‘All your node are belong to us’
The developers further explained that the Ronin chain currently comprises nine validator nodes, five of which must provide their signatures for any deposit of withdrawal to proceed. As part of their attack, the hacker managed to gain control over four such nodes and used an additional third-party validator run by Axie DAO to substitute the fifth.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the developers explained.
Notably, this was made possible because Sky Mavis requested help from the Axie DAO last November in order “to distribute free transactions due to an immense user load.” As part of this agreement, the Axie DAO “allowlisted” Sky Mavis to sign transactions on its behalf.
However, while the agreement was discontinued in December 2021, the allowlist access was not revoked, according to the announcement.
Following today’s attack, the Ronin chain developers have increased the validator threshold from five to eight and are currently “in touch with security teams at major exchanges and will be reaching out to all in the coming days.” Additionally, the sidechain’s nodes are being migrated from the old infrastructure.
“We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained,” Sky Mavis stated. “We are working with Chainalysis to monitor the stolen funds.”
Considering the current dollar worth of lost assets, this may very well become the biggest hack in the decentralized finance’s (DeFi) history. While crypto exchange Mt. Gox famously lost around 850,000 Bitcoin in 2014—which would currently be worth $40.2 billion—that figure was much smaller at the time since Bitcoin was trading at a fraction of its today’s price.
Hitherto, cross-chain bridging protocol Poly Network was considered to be the biggest victim of a DeFi hack after it was exploited for roughly $604 million last August. In that case, however, the hacker later returned most of the stolen funds.