In late March, Ronin, an Ethereum sidechain built for the popular non-fungible token play-to-earn game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) by a combined value of more than 600 million dollars.
The Ronin Bridge breach was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game:
There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP
— Ronin (@Ronin_Network) March 29, 2022
The company’s official report noted that the hackers managed to access the validator nodes’ private keys, resulting in the compromise of five validator nodes, which is also the threshold required to approve a transaction. The Ronin chain currently consists of nine validator nodes, and the hacker managed to gain access to four of them along with a third-party validator managed by the decentralized autonomous organization (DAO) Axie DAO.
The cause of the exploit could be traced back to last year, when Axie DAO gave Sky Mavis access to sign transactions on its behalf to mitigate user volume. However, this access was never revoked, ultimately leading to a backdoor access by the hackers that resulted in the $600 million hack.
The attack took place on March 23 and was discovered nearly a week later, when the hackers behind it used the stolen funds to short-sell Axie Infinity (AXS) and Ronin (RON). The hackers hoped to make more money from their exploit, thinking that the news of the biggest cryptocurrency hack would eventually bring the market down, however, they were liquidated before the news broke:
You cannot make this up
Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie
Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet
But NO ONE notices and they get liquidated on short before news breaks
— Eric Golden (@ericgoldenx) March 29, 2022
The Ronin Bridge was closed in the wake of this, with all deposits and withdrawals held until the investigation was complete and it may take several weeks before the bridge is open for public use again. The developers behind the game have since sought the help of various crypto exchanges and crypto analytics group Chainalysis to track the movement of funds and recover them.
Sky Mavis has ruled out that technical vulnerabilities are the main cause of the attack and has blamed it on social engineering. The developers also promised to refund and recover the stolen funds:
“This was a social engineering attack combined with human error from December 2021. Sky Mavis’ technology is strong and we will be adding several new validators to the Ronin Network shortly to further decentralize the network,” said Axie Infinity co-founder and COO Aleksander Leonard Larsen.
laundering and reimbursement
The Ronin bridge breach was quite similar to what happened at the Wormhole bridge for Solana, where the exploiters managed to get away with $320 million worth of crypto funds from the cross-bridge platform. Later in February, Jump Crypto — a venture capital firm — bailed out hacked users and gave them back 120,000 ETH.
Sky Mavis had made a similar promise after the exploit, stating that it would ensure affected users were reimbursed even if lost funds were not recovered. On April 6, the creators of the popular game raised $150 million led by cryptocurrency exchange Binance and other investors.
A Sky Mavis spokesperson told Cointelegraph:
“Of the total amount stolen, around $400 million belongs to users. The new round, combined with funds from the Sky Mavis and Axie balance, will ensure that all users are reimbursed.” The 56,000 ETH pledged from the Axie DAO treasury will remain unsecured while Sky Mavis works with law enforcement to recover the funds. If the stolen funds are not fully recovered within two years, the Axie DAO will vote on the next steps for the treasury.”
Many in the crypto world expected that, like the Poly Network exploiter, the hacker behind the Ronin Bridge exploit would end up paying back the stolen funds, as it is quite difficult to launder such a large amount of money. However, there has been no evidence of any such communication between the game’s developers and hackers, and the company declined to comment on the status of such communications.
Elliptic, a cryptocurrency data analytics firm, has traced $540 million of the stolen funds and believes hackers have already started laundering the money. First, the stolen USDC was traded for ETH on decentralized exchanges (DEX) to prevent it from being frozen.
After exchanging USDC for ETH, hackers began to launder ETH through three centralized exchanges.
The wallet belonging to the Ronin bridge hackers has also started sending funds to currency mixing services like Tornado Cash. Notably, the Poly Network exploiter did the same thing at first, but eventually decided to return the funds, as laundering such a large sum became increasingly difficult. According to a PeckShield report, hackers whitened funds worth about 42 million dollars, that is, about 7.5% of the total.
“Hacking is the easiest part. The hardest part is planning far enough in advance to ensure that the collection of funds is successful. Also, the bigger the hack, the more unlikely it is that hackers will be able to get hold of all of it.” funds,” said Jonah Michaels, head of communications for Immunefi, a Web3 bug bounty platform.
Could this hack have been prevented?
Although not all blockchains are the same, they are all based on the principle of decentralization, which ensures that power and security are not concentrated in the hands of a single entity. The need for decentralization is on full display in this massive Ronin hack. When systems are designed for the public to distribute power and security, they must be just that: distributed. The use of nine validators, four of which are controlled by a single party, has proven to be insecure.
Although the game’s creators claim that the exploit was not caused by any glitch, the fact that hackers managed to exploit and gain backdoor entry to one of their validator nodes because the developers forgot to revoke access to the validator of third parties certainly demonstrates a certain level of centralization in the validation process of validators. This ultimately became the reason for the $600 million loss in crypto assets.
For a game like Axie Infinity, with a $4 billion valuation and a user base numbering in the millions, the developers could have done better with cross-bridge security, especially when cross-bridge platforms have been around. on the receiving end of some of the biggest crypto heists of the last two years.
Jean-Paul Faraq, head of community and partnerships at Unstoppable Games, told Cointelegraph:
“Axie and their Ronin blockchain clearly have good intentions and a great vision. In fact, considering the state of scaling on Ethereum when Ronin was built, it can be argued that it was the right choice at the time, but they also had the funds to explore robust measures to ensure their blockchain was better protected. They will surely take a hard look at how to improve and will likely come out the other side with a more robust product.”
The game’s developers have promised to increase the number of validator nodes from nine to 21 in the next quarter. They also assured that if the stolen funds are not recovered within two years, the Axie DAO will vote on the next steps for its treasury.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.