Ethereum sidechain Ronin that powers play-to-earn game is fleeced for over $600m

The attacker took control of validation nodes and then stripped the network in a pair of transactions.
Written by Chris Duckett, Contributor
DeFi -Decentralized Finance on dark blue abstract background.
Getty Images

In a shock to absolutely no one paying attention to the so-called Web3 space, the touted security of blockchain-driven solutions might not be all it is cracked up to be.

The latest victim comes by way of Ronin, which detailed that 173,600 in Ethereum (ETH) and 25.5 million in USD coin had departed its clutches across a pair of transactions that occurred a week ago.

The Ronin Network said it only found out when a user on Tuesday wanted to withdraw 5,000 ETH but was unable to.

"ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now," the network said.

Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis.

At the time, the studio touted Ronin as being able to overcome Ethereum network congestion.

"To help secure Ronin, we have recruited an all-star cast of partners from the traditional gaming, crypto, and nonfungible token space to serve as validators of our network," it said at the time.

For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO.

"The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator," the Ronin Network explained.

"This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked."

In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted.

Luckily for those seeking to trace the funds, the use of blockchain means the transactions can be traced, in the case of the attackers, appears to be forgoing the step of washing the funds through a coin tumbler, and transferring it directly to FTX exchange.

Flora Li of the Huobi exchange research institute said the hack was a result of trying to balance user experience and security.

"Axie Infinity exploded in popularity and saw a rapid influx in users on the Ronin blockchain. They took shortcuts to relieve network bottlenecks, cutting down the number of nodes that needed to be validated for transactions to just five of nine nodes, making it easier for hackers to exploit," Li said.

"While Sky Mavis has pledged to raise the number of required nodes to eight, it still doesn't solve the fundamental problem of how proof-of-stake blockchains can keep transactions fast, user-friendly, and energy-efficient without compromising security."

Earlier this year, Crypto.com said 483 of its users were hit in an attack that saw over $31 million in coins withdrawn.

"In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed," the company said at the time.

"Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies."

Last year, the Poly Network had $600 million in cryptocurrency taken before the attacker began returning the stolen assets.

Updated at 3:50pm AEDT, 30 March 2022: Additional comments from Huobi.

Related Coverage

Editorial standards