Over USD 600M Stolen in Blockchain Bridge Hack as Axie Infinity’s Ronin Exploited
The first quarter of 2022 is about to end with one of the largest crypto thefts, as the gaming-focused Ronin bridge, which connects blockchains, has been exploited to the tune of more than USD 600m.
The Ronin Network confirmed that the bridge has been exploited for ETH 173,600 and USDC 25.5m, which is now worth around USD 617m. However, per blockchain analysis firm Elliptic, the total value of the stolen cryptoassets at the time of the theft was USD 540m, which makes it the second-largest crypto theft.
Both the bridge and the Katana decentralized exchange have been halted, they added.
The team behind the network claims that today, they discovered that Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised on March 23. Sky Mavis is the developer of Axie Infinity, the popular blockchain-powered play-to-earn game. The firm also developed Ronin, an Ethereum-linked sidechain made specifically for Axie Infinity.
“The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,” they said.
The team said they are working with law enforcement officials, forensic cryptographers, “and our investors to make sure all funds are recovered or reimbursed.”
According to them, their users are now unable to withdraw or deposit funds to Ronin Network.
“Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed,” the team added.
At 18:44 UTC, AXS trades at USD 65 and is down almost 9% in a day, SLP dropped 11% to USD 0.02, while RON crashed 20%, reaching USD 1.84.
Elliptic said that its internal analysis indicates that the exploiter has already begun laundering their proceeds, with funds originating from the attack already reaching at least “three prominent crypto exchanges.” The exploiter is using both centralized and decentralized exchanges, they added.
“At the time of writing, around USD 16 million in ETH has been laundered in this manner, leaving USD 524 million in various Ethereum accounts which appear to belong to the attacker,” the firm said.
You cannot make this up— Eric Golden (@ericgoldenx) March 29, 2022
Hacker steals $600MM in ETH from Ronin blockchain the one underlying Axie
Hacker then goes short Ronin & AXS (Axie token) knowing as soon as news breaks that tokens will plummet
But NO ONE notices and they get liquidated on short before news breaks
This is very different from previous bridge hacks where the root cause was a smart contract bug. This is a much more "classical" hack of private keys in a multi-key security setup. This is why trust-minimized bridging is SO important.— smartcontracts.eth (✨🔴_🔴✨) (@kelvinfichter) March 29, 2022
Anyone remember the Binance hack in May 2019 and the price action around that?— Travis Kling (@Travis_Kling) March 29, 2022
Pay attention to ETH right here. Ronin sidechain just got smoked for $600mm of ETH. If ETH can't dump, tells you everything you need to know.
17 to me, the point is that a lot of innocent folks including people playing-to-earn from low income families will be hurt by this incident.— Miko (@mikojava) March 29, 2022
3 This was about bridging validators, so the attack was in that respect similar to the Wormhole hack. Again, Vitalik warned us. All chains experience all other chains as off-chain.— Miko (@mikojava) March 29, 2022
– Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes
– Digital Collectibles Marketplace VeVe Loses ‘Large Amount of Gems’ in an Exploit
– ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K
– DeFiance Founder’s USD 1.76M Loss is a Lesson For NFT Investors
– Poly Network Hacker Keeps Sending Funds Back, Returns USD 342M
– BlockFi, Swan Bitcoin, Pantera Advise Users How to Stay Safe After Data Got Hacked in Hubspot CRM Raid
– IRA Financial Trust Hack Reportedly Sees USD 36M in Crypto Stolen From Users
– The 4th Largest Crypto Theft Shows DeFi Weakness as Hacker Nets USD 325M in a Wormhole
– What Did We Learn from the MonoX Hack?
(Updated at 19:18 UTC with additional details and comments. Updated on March 30 at 5:39 UTC to correct the stolen amount of USDC, which is USDC 25.5m, not USD 25.5.)