The Ronin network was exploited on March 23 when the Sky Mavis’ Ronin validator nodes and Axie DAO validator nodes were compromised, causing a loss of 173,600 Ethereum and 25.5M USDC in two separate transactions totalling about $625 million. The breach was discovered Tuesday morning after a user couldn’t withdraw 5000 Ethereum from the platform and reported it to the team.
The platform is working with Chainalysis to monitor the stolen funds and is migrating their nodes, wholly separated from their old infrastructure. The Ronin Bridge has also been temporarily paused to close any open attack vectors.
As for the users impacted, Ronin has reported that it is in the process of discussing with Axie Infinity (a game based on the Ronin blockchain) and Sky Mavis stakeholders about how to best move forward and ensuring no user funds are lost. They also reported working with “various government agencies” to ensure that perpetrator gets brought to justice.
In the News: Messenger now supports Slack-like commands
Yet another DeFi hack
Five validator private keys were hacked, four from Sky Mavis validators and one from Axie DAO. Five out of the nine validator signatures are needed to complete a withdrawal or deposit on the platform. This scheme is set up to be decentralised to limit attack vectors like these.
The attacker, however, found a backdoor through the platform’s gas-free RPC node and abused it to get the signature for the Axie DAO validator. After this, the attacker gained access to Sky Mavis systems and was able to get the signature from the Axie DAO validator by using the gas-free RPC.
Once the attacker had access to all five keys, they could make withdrawals from the platform quietly without anyone noticing. The company has also confirmed that the signature in the attacker’s withdrawals matches up with the suspected validators.
Since the Bridge has been temporarily suspended, users can’t withdraw or deposit funds on the platform. However, Sky Mavis is working on ensuring that all the drained funds are either recovered or reimbursed.
In the News: Yandex is harvesting user data using its mobile SDKs