Ronin Network Crypto Heist Accents Dapps’ Vulnerabilities
The Ronin blockchain network connected to the popular Axie Infinity online game is the latest victim of crypto hackers who have managed to secure one of the biggest snatches to date.
Although the heist took place on March 23, causing a loss of 173,600 Ethereum and 25.5M USDC worth almost $600 million on the Ronin bridge in two transactions, it was only discovered on March 29.
In its latest statement, the network underscored that "the investigation continues, and at this stage, we cannot share more substantial information. We have had various calls with key stakeholders, law enforcement agencies, and major exchanges.”
Ronin is also collaborating with big cryptocurrency exchanges to track the movement of funds.
Huobi, the Seychelles-based cryptocurrency exchange, has pledged to cooperate, tweeting that “any stolen crypto assets that have been discovered to have traversed our exchange and related networks will be dealt with expediently.”
The company is yet to clarify whether it is planning to reimburse its customers, some of which, according to reports, have lost their "life savings" after saving up digital coins from playing Axie Infinity where players fight cartoon pets called Axies to earn cryptocurrency. The game is hugely popular worldwide with players hoping to win both crypto and NFTs.
The heist is the latest in a series of crypto hacks that took place over the years. Wormhole, Poly Network, Coincheck, and Mt Gox all suffered significant losses, with Poly Network alone losing $611m in August 2021.
The hack also exposes the vulnerabilities of bridges, i.e. software that lets people convert tokens into ones that can be used on another network, that move millions of dollars worth of crypto. They include unaudited computer codes and obscure identities of validators, which undermine the safety of dapps.
Robinson adds that cryptocurrency companies are "huge honeypots for hackers" since "crypto transactions are irreversible, so if a hacker can get their hands on it, it's very difficult for anyone to retrieve it.”
In its latest tweet, the Ronin network underscored that “we replaced all of the former Sky Mavis validators” and “are pushing our plan to add new validators to Ronin in the coming weeks. This will be a key step in bolstering the security of the network. The root cause of our attack was the small validator set which made it much easier to compromise the network.”
Following the heist, the price of Ronin blockchain’s native coin Ron dropped about 22% while AXS, a token used in Axie Infinity, fell 11%.
The coins are now trading at $1.75 and $62.78 respectively.
The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,the Ronin network reported Tuesday.
In this case, the issue was that the bridge was highly centralized -- the theft came as a result of someone hacking the ‘validator nodes’ of the Ronin Bridge.Funds can be moved out of the bridge if five of the nine validators approve it. The hacker managed to get hold of the private cryptographic keys belonging to five of the validators – so that was enough to steal the crypto assets.Tom Robinson, co-founder of Elliptic, said in his interview with Bloomberg .
