Pierluigi Paganini
March 29, 2022
Threat actors have stolen almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered today after a user was unable to withdraw 5,000 ether.
The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.
The attackers have stolen roughly 173,600 ether and 25.5 million USDC. The Ronin bridge and Katana Dex have been halted following the attack.
Axie Infinity disclosed the security breach through the official Discord and Twitter accounts, and by Ronin Network.
“There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2).” reads a statement published by the company. “The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.”
Important announcement regarding a security breach on the Ronin Network. https://t.co/88TilOGTX6
— Axie Infinity (@AxieInfinity) March 29, 2022
The amount of stolen funds makes this attack the largest crypto hack in history, passing the $611 million hack of the DeFi protocol Poly Network in August 2021.
Sky Mavis’ Ronin chain is currently composed of 9 validator nodes. In order to confirm transactions, five out of the nine validator signatures are needed. The threat actors managed to get control over five of the validator signatures, Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.” continues the statement.
The company notified law enforcement and hired a forensic cryptographer to investigate the incident.
Axie Infinity said it’s committed to ensuring that all of the drained funds are recovered or reimbursed.
“As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed.” concludes the statement.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Axie Infinity’s Ronin)
[adrotate banner=”5″]
[adrotate banner=”13″]
