The Ronin Network announced yesterday that hackers have stolen more than $600 million worth of Ethereum (173,600 ETH) and $25.5 million of US dollar-pegged stablecoin USDC, making it one of the largest decentralized finance (DeFi) hacks to date. The company, which is tied to the popular blockchain game Axie Infinity, said in a Substack post that they suffered a security breach on March 23. Sky Mavis, a blockchain gaming company, built and controls the Axie Infinity game.
The hack involved the compromise of Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes, which allowed the threat actor to drain the funds from the Ronin bridge in two transactions.
Figure 1. https://roninblockchain.substack.com/p/community-alert-ronin-validators/ |
The Ronin chain has 9 different validator nodes in total and five are needed for any deposit or withdrawal. Four Sky Mavis validators and 1 Axie DAO were hacked in the attack. “The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” they explained. “The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,” the company explained.
Researchers tied the attack back to an issue from November 2021, when they allowed Sky Mavis to be able to sign various transactions on its behalf as a way to handle an increasing number of transactions. They ended this practice in December of 2021 but claimed the “allowlist access was not revoked.” Sky Mavis has now increased the validator threshold from five to eight as a protective measure. The company also said it is working with blockchain intelligence firm Chainalysis on tracking the stolen funds and has contacted various governments for law enforcement assistance.
Most of the stolen funds are still in the hacker’s wallet. The company is not allowing its users to withdraw or deposit funds but said it is, “committed to ensuring that all of the drained funds are recovered or reimbursed.”
Motherboard reported that the Axie Infinity game is popular in The Philippines and the Ronin network was created in February 2021 as a way to make the game cheaper to play.
Elliptic, a blockchain security company, said the hack is the second largest cryptocurrency heist ever after an unidentified hacker stole more than $600 million worth of cryptocurrency from Poly Network, a DeFi platform based in China, last year. Elliptic bases its figures on the price of the coins at the time they were stolen, and in this instance, the price of ETH on March 23 means about $540 million was taken from Ronin.
The hack continues a run of attacks on DeFi platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. DeFi platform Wormhole saw crypto-assets worth $324 million stolen from it in February while Bitmart lost $196 million in early December.
In November, cybercriminals stole about $120 million from DeFi platform Badger while AscendEX had about $77 million stolen.
Blockchain gaming company Vulcan Forged was robbed of around $140 million in December while $34 million was taken from Cream Finance last September and about $200 million was stolen from the PancakeBunny platform in May 2021.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments