In what can be described as the biggest cryptocurrency hack ever recorded, the Ronin Network, an Ethereum sidechain developed by blockchain gaming platform Axie Infinity, has been exploited. According to a Tuesday community signal from Ronin developers, hackers stole roughly 173,600 ETH (that’s about $600 million) and 25.5 million USDC ($25.5 million.)
The Ronin Network bridge as well as Katana (the primary decentralized exchange for Ronin) are currently unavailable at the time of writing.
According to Ronin network statement on the attack,
There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.
From Ronin network newlsetter
The Ronin Network hack reportedly took place on March 23, when an unidentified attacker exploited validator nodes belonging to Sky Mavis (the gaming company behind Axie Infinity) and Axie DAO (the official validator which represents the Axie community).
The Ronin Network now requires five out of 9 multi-signatures to authorize withdrawals from the bridge. Today’s report disclosed that Sky Mavis controlled four out of the five signatures required to authorize a withdrawal. Hence, the perpetrator only needed to hack Sky Mavis’s private keys to obtain a majority of the validator signatures, while also hacking the Axie DAO to meet the threshold.
The attacker used the stolen private keys to authorize the withdrawal of 173,600 ETH (more than $600 million) and 25.5 million USDC ($25.5 million) in two different transactions. The majority of the stolen funds (appr. $606 million) is still being held in the perpetrators’ address at the time of writing.
Ronin Network Hack Undetected for Six Days
Surprisingly, the Ronin Network development team claims to have only found the exploit today, March 29, despite the hack taking place six days earlier. The team was only alerted to the empty bridge when a user publicized being unable to withdraw 5000 ETH from the network.
On the one hand, Axie’s infinity native cryptocurrency, $AXX has been on a decline since the announcement of the exploit. As of present, the cryptocurrency is changing hands at around $64, which represents a 15% plunge from its weekly high of $74.