Summary
- Hacker exploits the Ronin bridge (an Ethereum sidechain developed for Sky Mavis’s game, Axie Infitity) and takes over $600m in Ethereum and USDC
- The Ronin bridge and Katana DEX have been halted
- Law enforcement, forensic cryptographers, investors, Chainalysis, Crowdstrike, all working to recover funds.
One of the biggest hacks in history, and the biggest in DeFi’s history, has taken place on Axie Infinity’s Ronin Ethereum sidechain and the entire crypto industry is reeling as a result. Click here to read Ronin’s announcement and any updates.
On 29th March 2022, the Ronin bridge experienced a security breach that saw a hacker draw 173,600 ETH and 25.5 million USDC, worth around $612m in Ethereum and USDC at the time of the incident. Though it was only yesterday announced and spotted, the attack happened on the 23rd of March and was only noticed yesterday when a whale couldn’t draw down 5000 ETH from the bridge. The Ronin bridge and Katana DEX have both been halted for the time being.
The Ronin developers are “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.” The Ronin team then today added that they are also “working with Chainalysis to monitor the stolen funds and Crowdstrike to handle forensics and the setup of surveillance tools.”
How Did the Hacker Take the Money?
The exploiting of blockchain is a form of wizardry that is above my station, but from the sounds of it, the hack is pretty straightforward to understand at a basic level. The Ronin chain uses 9 validator nodes that do exactly what they say on the tin: they validate transactions. If 5 nodes sign a deposit or withdrawal request, it is for all intents and purposes, approved.
The person behind the attack hacked the private keys for 4 of Ronin’s own Validator nodes and then through Ronin’s system, they backdoored their way into the RPC node which they exploited to get the 5th signature needed: the Axie DAO validator node.
A number of people are criticizing Ronin for only requiring 5 out of 9 signatures and while they explain that it was this number “as some nodes didn’t catch up with the chain, or were stuck in syncing state,” they have also added they are increasing the threshold to 8 of 9.
Final Thoughts
Even if you’re not directly affected by this, if you’re interested in crypto in any way, you’re indirectly affected. Hacks of this size serve to highlight the flaws in the new technology and many mainstream media outlets will be dining on this for some time as they push the “crypto is the wild west” narrative.
Vitalik Buterin has spoken out about the security limitations of bridges just this year and he is being proven correct regularly. He does state, however, that he is more optimistic about a multi-chain future, which would certainly be my preference. Nevertheless, blockchain interoperability has proven to be an immediate goal of the industry at large and for that, bridges are (currently) necessary for that.
As for this hack, all we can do is hope that the funds are recovered or returned (it’s possible, but unlikely, that as the funds are just sitting in the wallet, the hacker may either return for a fee or ransom them.) Whatever the case, it’s been a dark few days for blockchain gaming and crypto as a whole.
