More than $625 million stolen in DeFi hack of Ronin Network

The Ronin Network announced on Tuesday that hackers have stolen more than $600 million worth of Ethereum (173,600 ETH) and $25.5 million of US dollar-pegged stablecoin USDC, making it one of the largest decentralized finance (DeFi) hacks to date. 

The company, which is tied to the popular blockchain game Axie Infinity, said in a Substack post that they suffered a security breach on March 23. Sky Mavis, a blockchain gaming company, built and controls the Axie Infinity game. 

The hack involved the compromise of Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes, which allowed the threat actor to drain the funds from the Ronin bridge in two transactions. 

The Ronin chain has 9 different validator nodes in total and five are needed for any deposit or withdrawal. Four Sky Mavis validators and 1 Axie DAO were hacked in the attack.

“The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” they explained.

There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP

— Ronin (@Ronin_Network) March 29, 2022

“The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,” the company explained. 

They tied the hack back to an issue from November 2021, when they allowed Sky Mavis to be able to sign various transactions on its behalf as a way to handle an increasing number of transactions. 

They ended this practice in December but claimed the “allowlist access was not revoked.” They have now increased the validator threshold from five to eight as a protective measure.

The company also said it is working with blockchain intelligence firm Chainalysis on tracking the stolen funds and has contacted various governments for law enforcement assistance. 

Most of the stolen funds are still in the hacker’s wallet. The company is not allowing its users to withdraw or deposit funds but said it is “committed to ensuring that all of the drained funds are recovered or reimbursed.”

Motherboard reported that the Axie Infinity game is popular in The Philippines and the Ronin network was created in February 2021 as a way to make the game cheaper to play. 

Elliptic, a blockchain security company, said the hack is the second largest cryptocurrency heist ever after an unidentified hacker stole more than $600 million worth of cryptocurrency from Poly Network, a DeFi platform based in China, last year.

Elliptic bases its figures on the price of the coins at the time they were stolen, and in this instance, the price of ETH on March 23 means about $540 million was taken from Ronin.

The hack continues a run of attacks on DeFi platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. 

DeFi platform Wormhole saw crypto-assets worth $324 million stolen from it in February while Bitmart lost $196 million in early December. 

In November, cybercriminals stole about $120 million from DeFi platform Badger while AscendEX had about $77 million stolen. 

Blockchain gaming company Vulcan Forged was robbed of around $140 million in December while $34 million was taken from Cream Finance in September and about $200 million was stolen from the PancakeBunny platform in May. 

Other attacks have involved platforms like Liquid, EasyFi, bZx, and many others.

• Ronin Network – $625 million
• PolyNetwork – $600 million
• Cream Finance – $130 million (October)
• Badger - $120 million
• Liquid – $94 million
• EasyFi – $81 million
• bZx - $55 million
• Uranium Finance – $50 million
• Cream Finance – $37 million (February)
• Alpha Homora – $37 million
• Vee Finance – $35 million
• Meerkat Finance – $31 million
• Spartan – $30 million
• Cream Finance – $29 million (August)
• pNetwork – $12 million
• Rari Capital – $11 million