Hackers Steal Over $600 Million In Ether From Axie Infinity’s Ronin Network

Ronin Network, the gaming-focused blockchain platform, on Tuesday announced that it was allegedly breached by hackers last week where cryptocurrencies valued at roughly $625 million, or 173,600 Ethereum and 25.5 million USDC, were stolen in one of the largest DeFi hacks to date.

According to a blog post published by the Ronin Network’s official Substack, the validator nodes of Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO were compromised.

An attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge in two transactions (1 and 2). While the hack occurred on March 23^rd, it was discovered only on Tuesday morning after a user reported being unable to withdraw 5,000 ETH from the bridge network.

Providing details of the attack, the blog post stated that Sky Mavis’ Ronin chain has nine validator nodes, of which five validator signatures are required to recognize a Deposit event or a Withdrawal event. The validator key scheme is set up to be decentralized so that it limits an attack vector.

In this case, the attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” it added.

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO validator to distribute free transactions due to an immense user load. While Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf, it was discontinued in December 2021. However, the allowlist access was still not revoked.

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.

Meanwhile, the company said it has taken the following precautionary actions to guard against the attack:

1. We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight.
2. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. 
3. We are in the process of migrating our nodes, which is completely separated from our old infrastructure.
4. We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained. 
5. We have temporarily disabled Katana DEX to due to the inability to arbitrage and deposit more funds to Ronin Network. 
6. We are working with Chainalysis to monitor the stolen funds. 

“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now,” the blog post concluded.

“We are working directly with various government agencies to ensure the criminals get brought to justice. We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost. Sky Mavis is here for the long term and will continue to build.”