- Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC. As a result, ronin bridge and Katana Dex have been halted.
- Team is working with law enforcement officials, forensic cryptographers, and investors to make sure all funds are recovered or reimbursed. Ronin’s AXS, RON, and SLP are safe now.
The team has discovered that on March 23rd,2022 Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised, resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions. Here is the link to 1st transaction. Here is the link to 2nd transaction. The attacker used hacked private keys to forge fake withdrawals.
However, the team discovered the attack this morning after a report from a user unable to withdraw 5k ETH from the bridge.
Method used for Ronin Bridge Hack
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. Five out of the nine validator signatures are needed to recognize a Deposit event or a Withdrawal event. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. The validator key scheme is set up to be decentralized to limit an attack vector. Still, the attacker found a loophole through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
This was due to what happened in November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO
allowlist Sky Mavis to sign various transactions on its behalf. This practice was discontinued in December 2021, but protocol did not revoke the
allowlist access. Once the attacker got access to Sky Mavis systems, they could get the signature from the Axie DAO validator by using the gas-free RPC. The team has confirmed that the signature in the malicious withdrawals matches up with the five suspected validators.
The team has increased the validator threshold from five to eight to prevent further damage. Additionally, the team has temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin on the side of caution. The team has also temporarily disabled Katana DEX due to the inability to arbitrage and deposit more funds to Ronin Network. The team is currently working with Chainalysis to monitor the stolen funds. As of now, Most of the hacked funds are in the Attacker’s wallet.