Ronin is a Sidechain of Ethereum built for the Play-to-earn NFT game Axie Infinity. At the end of March 2022, Ronin had hacked more than 173,600 Ether (ETH) and $25.5 million (USDC) coins with a total value of up to $600 million.
The official report from the company explains that the hackers gained access to the private keys of the authentication nodes. They hacked five authentication nodes, which is also the amount needed to approve a transaction. The Ronin chain currently consists of nine authentication nodes, and the hackers have gained access to four Nodes with a third authentication party run by Axie DAO, a decentralized autonomous organization (DAO).
The root cause of the hack may have originated in the previous year when Axie DAO allowed Sky Mavis, the developers behind this P2E game, to access it on their behalf to authenticate transactions, helping to improve user traffic. However, Ronin never revoked this access, creating a vulnerability for hackers to break into and leading to a $600 million hack.
The hack was discovered just a week after hackers used the stolen money to short-sell Axie Infinity (AXS) and Ronin (RON). The hackers hope to make more money from the money they hack, and argue that news of the biggest cryptocurrency hack will cause the market to devalue. However, their plan failed before the news broke.
After the incident, Ronin Bridge was closed, suspended all deposits and withdrawals until the investigation was complete and it could take several more weeks until the bridge was reopened to the public. The developers behind this game have sought help from many exchanges and cryptocurrency analysis group Chainalysis to probe the movements of funds and restore them.
Sky Mavis removed the technical flaw as the main cause behind the attack and blamed the non-technical attack. These developers promised to compensate and recover the stolen money.
Aleksander Leonard Larsen, co-founder and CEO of Axie Infinity, said: "This was a non-technical attack combined with human error in December 2021. Sky Mavis's technology is very solid and we will quickly add validators to the Ronin network to make it increasingly decentralized."
Money laundering and compensation
The attack on Ronin Bridge is quite similar to what happened to Solana's Wormhole Bridge, whose hackers escaped with $320 million in cryptocurrencies from the platform. Then in February 2022, Jump crypto – a Venture Capital firm – rescued affected users and offset 120,000 ETH.
Sky Mavis made a similar promise after the attack, insisting that it would ensure affected users were compensated even if the money was not fixed. On April 6, the creators of this popular game raised $150 million by binance and other investors.
Elliptic, a cryptocurrency data analytics company, tracked down $540 million in hacks. They believe the hackers have begun laundering money. First, the stolen USDC will be converted to ETH on decentralized exchanges so that the money does not freeze.
After converting USDC to ETH, the hackers began laundering ETH money through three centralized exchanges.
The wallets of ronin bridge hackers have also started sending money to money mixing services such as Tornado Cash. Notably, poly network attackers initially did the same but ultimately had to decide to return the money because laundering such a large amount of money was extremely difficult. According to a report by PeckShield, the hackers laundered about $42 million, about 7.5 percent of the stolen money.
"Hacking is the easiest part. The most difficult part is planning well enough to make sure that the stolen money can be exchanged for cash. What's more, the bigger the hack, the less likely the hackers are to succeed with all the money they earn," said Jonah Michaels, head of communications at Immunefi, a web3 platform that hunts for bonuses.
Could this hack have been avoided in the first place?
While not all blockchain platforms are the same, they are all built on a decentralized basis. This ensures that power and security are not focused on a single entity.
Ronin's hack underscores the need for more decentralization. Of the nine authentication nodes, four are controlled by one side, which does not indicate decentralization. The fact that hackers can attack and access thanks to a vulnerability from an authentication node because developers forgot to revoke access to a third authentication party certainly shows centrality in the authentication process. This became the reason for the loss of $600 million in cryptocurrencies.
The developers of this game promise to increase the number of authentication nodes from 9 to 21 in the upcoming quarter. They also ensured that if the stolen money is not recovered over the next two years, Axie DAO will vote for the next steps towards their funds.
