Ronin Bridge Hack: Will it be as lucky as PolyNetwork?
On March 29, Axie Infinity's Ronin Network suffers $610M exploit, making it the largest crypto theft case in history in terms of amount at the time of occurrence (the previous largest amount, PolyNetwork, had already been returned in full at around $600 million).
The incident happened on March 23, but was not officially discovered until March 29, prompting criticism from the community. ronin said the amount stolen was 173,600 ETH and 25.5M USDC. it was discovered on March 29 that on March 23, Sky Mavis' Ronin verifier node and Axie DAO verifier node were compromised, resulting in two transactions from The attackers used the hacked private keys to forge fake withdrawals. The attack was not discovered until after users reported on the 29th that they were unable to withdraw 5k ETH from the bridge.
Ronin said that Sky Mavis' Ronin network currently consists of nine verified nodes. In order to identify a deposit event or a withdrawal event, five of the nine verifier signatures are required. The attackers managed to take control of four of Sky Mavis' Ronin verifiers and a third-party verifier run by Axie DAO.
The background of the matter dates back to last November when Sky Mavis requested Axie DAO's help in distributing free transactions, SlowMist said. Due to the huge user load, Axie DAO whitelisted Sky Mavis and allowed Sky Mavis to sign various transactions on its behalf, a process that was stopped in December. However, access to the whitelist was not revoked, which led to an attacker being able to sign from the Axie DAO verifier via gas-free RPC once he gained access to the Sky Mavis system. sky Mavis' Ronin network currently consists of nine verification nodes, of which at least five signatures are required to identify deposit or withdrawal events. The attackers discovered a backdoor through the gas-free RPC node, and eventually the attackers managed to take control of five private keys, including four of Sky Mavis' Ronin verifiers and a third-party verifier run by Axie DAO.
BlockSec analyzed that after the successful fund theft, the attacker immediately transferred the stolen USDC to Uniswap and 1inch in exchange for Ether. The attackers then started to transfer Ether one by one since March 28, and as of now, about 175,913 ETH stolen funds are still in the attackers' address and about 1,279 ETH stolen funds are still in the process of transfer.
The attackers received a total of 182,162.86 ETH (of which 173,600 ETH were stolen directly and a total of 8,562.86 ETH were exchanged for the stolen USDC).
According to SlowMist's MistTrack analysis, the hackers first distributed 6250 ETH and transferred 1220 ETH to FTX, 1 ETH to Crypto.com and 3750 ETH to Huobi. But SlowMist says this doesn't mean that the hackers were stupid enough not to shuffle coins. This is a common and simple coin laundering technique, using fake KYCs, proxy IPs, fake device information, and so on. From the special intelligence obtained by SlowMist so far, the hackers are not "stupid" and are quite cunning, but there is still hope for recovery, and it is uncertain how long it will take. It also depends on the determination of law enforcement agencies.
Private keys preferably through secure multi-party computation (MPC) to eliminate single point of risk;
Private key should be dispersed in pieces to multiple hardware isolated chips for protection;
There should be more policy approval protection for large fund operations to ensure that the main person in charge is informed and confirmed of the fund variation at the first time;
The actual time of the theft was March 23, and the project party should strengthen The project owner should strengthen its services and funds monitoring.
Binance said that following the security breach on the Ronin (RON) network, the investigation team is supporting the Axie Infinity team in tracking transactions related to its bridge to identify the hackers. A dedicated monitoring team is in place to monitor any unusual transactions. Wrapped ETH (WETH) withdrawals and conversions from WETH to ETH on the ethereum have also been suspended, with FTX, Huobi and others also indicating action.
Axie Infinity and Sky Mavis, the parent company behind Ronin and the Vietnamese game studio, said it will compensate online participants who lost money after hackers stole about $600 million from Ronin bridge, according to Bloomberg. "We are fully committed to compensating our players as soon as possible. We are still working on a solution and this is an ongoing discussion." Sky Mavis has made a lot of money on Axie's project with Ronin, so the community may generally expect to cover losses similar to Jump.
The eyes of the world are on the hacker's address, and "how to clean up if you stole $600 million in cryptocurrency" has even become a popular discussion online. will Ronin be as lucky as PolyNetwork in recovering it? It's hard to say yet, but PolyNetwork has a lot of help from all sides as many of the biggest names in the industry are "in it". In contrast, Ronin and Axie are the leading players in the game that have been surging in recent years, but they clearly don't have enough contacts, resources, and experience in the crypto industry.
In addition, there have been many recent hacks in the industry, and few have been recovered quickly. For example, the 120,000 ETH stolen from Wormhole was as huge as the amount, and still has not been recovered after Jump filled it directly; the recent Cashio theft of $52 million was so arrogant that the hacker said he would return accounts under $100,000 "with the sole purpose of taking money from people who don't need it, not from people who do ". There is also no news of recovery of the huge amount of coins stolen from multiple centralized exchanges further on. The only lucky one was surprisingly Bitfinex. on February 9 of this year, the US Department of Justice suddenly announced the capture of two people involved in the 2016 Bitfinex theft of nearly 120,000 coins and the recovery of over 94,000 bitcoins.
Judging by its history, PolyNetwork's luck may have been truly fortuitous. As SlowMist says, the need for recovery will depend on the determination of law enforcement agencies, especially in the United States, combined with the long-term involvement of a large number of industry security agencies, or even a breach by the hackers themselves. But odds are this will be a long recovery.