Ronin crypto hack worth roughly $625m went unnoticed for a week

30 Mar 2022

Axie Infinity screenshot. Image: Sky Mavis

Researchers tracking the stolen funds for Ronin described it as ‘the largest-ever DeFi exploit’ in history.

A major hack has resulted in approximately $625m worth of cryptocurrency being stolen from Ronin, the gaming-focused blockchain network used for the NFT-based game Axie Infinity.

Ronin said 173,600 Ethereum and 25.5m USDC – a stablecoin linked to the US dollar – were drained in two transactions.

Chainalysis said on Twitter it is tracking the funds on Ronin’s behalf. The blockchain platform said this hack is worth more than $625m, which would make it “the largest-ever DeFi exploit” recorded.

Ronin said it is working law enforcement officials, forensic cryptographers and investors to recover or reimburse the stolen funds. The Ronin bridge and Katana decentralised exchange have also been halted as a security measure.

The blockchain network said validator nodes for Sky Mavis – the operator of Ronin and Axie Infinity – and Axie DAO validator nodes were compromised on 23 March.

Ronin said it noticed the breach yesterday (29 March), after a user reported they could not withdraw 5,000 Ethereum from the bridge.

“There has been a security breach on the Ronin Network,” the blockchain operator said on its Substack. “The attacker used hacked private keys in order to forge fake withdrawals.

“Sky Mavis’ Ronin chain currently consists of nine validator nodes. In order to recognise a deposit event or a withdrawal event, five out of the nine validator signatures are needed.”

Ronin said the bad actor had control of Sky Mavis’ four validators and a third-party validator run by Axie DAO. The hacker found a backdoor that was abused to get access to this fifth validator.

“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load,” the statement said. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf.

“This was discontinued in December 2021, but the allowlist access was not revoked,” Ronin added.

Even though security is often seen as one of the major benefits of blockchain, cyberattacks are becoming more sophisticated all the time, with major hacks occurring over the last year.

One of the world’s largest cryptocurrency trading platforms by volume, Bitmart, was targeted last December by unidentified hackers, which lead to an estimated $196m worth of assets being stolen.

Last August, a major hack on decentralised finance platform Poly Network saw more than $600m in cryptocurrency stolen by exploiting a vulnerability in its system – one of the largest crypto thefts in history.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic