The Ethereum sidechain Ronin has been hacked
Reading time:
10 min
Ronin, the Ethereum sidechain developed for the popular NFT game Axie Infinity, has fallen victim to a hack that stole about $615 million worth of crypto-assets from a hacker.
The hack was reportedly carried out back on 23 March as a result of a security vulnerability. The attack was discovered on the morning of 29 March, when a user reported being unable to withdraw 5,000 ETH from the bridge.
The hacker used “compromised private keys” to carry out the exploit. He was able to forge transactions to withdraw funds. He managed to steal 173,600 ETH ($590 million) and 25.5 million USDC in two transactions. Most of the crypto-assets are still at the hacker's address.
According to the observations of The Block Research researcher Igor Igamberdiev, some funds went to the centralized exchanges FTX and Crypto.com. A Twitter user also discovered that the hacker had withdrawn some funds to the Binance exchange.
According to the report, the hacker was able to sign transactions from five out of nine nodes on the Ronin network, which is the minimum threshold for signature approval. The attacker gained access to four Sky Mavis validators as well as one operated by Axie DAO.
The validator key scheme is configured to be decentralised and limit the attack vector. But the attacker found a backdoor through our gasless RPC node to get a signature for the Axie DAO validator, the report said.
Immediately after the hack was detected, developers began acting to create a defence against future attacks. They are also working with major exchanges and Chainalysis to track stolen funds. They are also working with government agencies to bring hackers to justice.
Ronin Bridge and DEX Katana are temporarily suspended. The Ronin network hack was the largest in the history of the DeFi segment.