In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million.
The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game:
There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP
— Ronin (@Ronin_Network) March 29, 2022
The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator nodes, which is also the threshold required to approve a transaction. The Ronin chain currently consists of nine validator nodes and the hacker managed to get access to four of them along with a third-party validator run by decentralized autonomous organization (DAO) Axie DAO.
The root cause for the exploit could be traced back to last year when Axie DAO gave access to Sky Mavis to sign off on transactions on its behalf to mitigate user volume. However, this access was never revoked, which eventually led to backdoor access by hackers resulting in the $600 million hacks.
The exploit took place on March 23, only to be discovered nearly a week later after hackers behind the attack used the stolen funds to short Axie Infinity (AXS) and Ronin (RON). The hackers hoped to make more money on their exploit, thinking the news about the biggest crypto hack would eventually bring down the market, however, they got liquidated before the news broke:
You cannot make this up
Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie
Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet
But NO ONE notices and they get liquidated on short before news breaks
— Eric Golden (@ericgoldenx) March 29, 2022
The Ronin bridge was closed in the aftermath, with all deposits and withdrawals halted until the investigation was complete and it may take several weeks before the bridge opens for public use again. The developers behind the game have since sought help from various crypto exchanges and crypto analytic group Chainalysis to track the movement of funds and recover them.
Sky Mavis has ruled out technical vulnerabilities as the core cause behind the exploit and blamed it on social engineering. The developers also promised to reimburse and recover the stolen funds:
“This was a social engineering attack combined with human error from December 2021. Sky Mavis tech is solid and we will be adding several new validators to the Ronin Network shortly to further decentralize the network,” said Axie Infinity co-founder and chief operating officer Aleksander Leonard Larsen.
Laundering and reimbursement
The exploit on the Ronin bridge was quite similar to what happened on the Wormhole bridge for Solana, where the exploiters managed to get away with $320 million worth of crypto funds from the cross-bridge platform. Later in February, Jump Crypto — a venture capital firm — bailed out exploited users and replenished 120,000 ETH.
Sky Mavis had made a similar promise in the aftermath of the exploit, claiming they would ensure that affected users are reimbursed even if the lost funds aren’t recovered. On April 6, the creators of the popular game raised $150 million led by crypto exchange Binance and other investors.
A Sky Mavis spokesperson told Cryptox:
“Out of the total amount stolen, around $400 million belongs to users. The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed. The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the stolen funds are not fully recovered within two years, the Axie DAO will vote on the next steps for the treasury.”
Many in the crypto world hoped that, like the exploiter of the Poly Network, the hacker behind the Ronin Bridge exploit would eventually return the stolen funds, as it’s quite difficult to launder such a high amount of money. However, there hasn’t been any evidence of such communication between game developers and the hackers and the company declined to comment on the status of such communications.
Elliptic, a crypto data analytics company, has traced down $540 million of the stolen funds and believes the hackers have already begun laundering the money. First, the stolen USDC was swapped for ETH on decentralized exchanges (DEXs) in order to avoid it being frozen.
After swapping USDC for ETH, the hackers started to launder the ETH via three centralized exchanges.
The wallet belonging to the hackers of the Ronin Bridge has also started sending funds to currency mixer services such as Tornado Cash. It’s worth noting that the Poly Network exploiter did the same at first but finally decided to return the funds as laundering such a large sum became increasingly difficult. According to a PeckShield report, the hackers laundered about $42 million worth of funds, or around 7.5% of the total.
“Hacking is the easiest part. The hardest part is planning enough in advance to make sure that cashing out the funds is successful. Moreover, the larger the hack, the more unlikely it is that hackers will be able to make off with all the funds,” said Jonah Michaels, communications lead at Immunefi — a Web3 bug bounty platform.
Could this hack have been avoided?
While not all blockchains are made equal, they are all established on the principle of decentralization, which ensures that power and security are not concentrated in the hands of a single entity. The need for decentralization is highlighted by this enormous hack on Ronin. When designing systems for the public with the goal of distributing power and security, it must be just that: distributed. The use of nine validators, four of which are controlled by a single party, has been proved to be insecure.
While the makers of the game claim that the exploit didn’t take place because of any technical shortcomings, the fact that hackers managed to exploit and get a backdoor entry to one of their validator nodes because the developers forgot to revoke access to the third-party validator certainly highlights a certain level of centralization in the validator approval process. This eventually became the reason for the loss of $600 million worth of crypto assets.
For a game like Axie Infinity with a $4 billion valuation and a user base ranging in millions, the developers could have definitely done better with cross-bridge security, especially when cross-bridge platforms have been at the receiving end of some of the biggest crypto heists in the past couple of years.
Jean-Paul Faraq, head of community and partnerships of Unstoppable Games, told Cryptox:
“Axie and their blockchain Ronin clearly have good intentions and a grand vision. Indeed, considering the state of scaling on Ethereum when Ronin was built, you may argue it was the right choice at the time, but they also had the funds to explore robust measures to ensure their blockchain was better protected. They will surely take a long hard look at how to improve and likely come out the other side with a more robust product.”
The developers of the game have promised to increase the number of validator nodes from nine to 21 in the coming quarter. They also assured that if the stolen funds are not recovered within two years, the Axie DAO would vote for the next steps for its treasury.