spinner

How did Ronin Miss a $600 Million Theft?

The second biggest theft in crypto history is also one of the most surprising. For nearly a week, the company involved didn’t notice that anything was wrong.

Sun 3rd Apr 2022

//images.ctfassets.net/znxnw90vc5ew/3F71nunOO1hBoVI8Qmc1ht/c6a98ac1f73fca72927bcc5812db0f33/Layer_7.jpg

It only took attackers two transactions to complete one of the biggest heists in crypto history. Ronin bridge (which powers crypto gaming colossus Axie Infinity) was exploited for the loss of 173,000 ETH and 25.5M USDC. That’s around $600 million. Both Ronin Bridge and Katana Dex have since been halted, with no transactions taking place. If that wasn’t shocking enough, the crypto was stolen six days before anybody realised. It seems as though the company simply didn’t notice the massive hole in its finances.

The second biggest theft in crypto history

Although the Poly Network exploit of August 2021 still holds the dubious honour of being crypto’s largest ever theft, Ronin comes in a close second. According to a company statement, “the attacker used hacked private keys in order to forge fake withdrawals.” Five of Ronin’s nine validator nodes (4 Sky Mavis and 1 Axie DAO) were compromised after the attacker gained keys. Ronin uses a relatively small set of nodes to validate deposits/withdrawals with only 5 of 9 signatures required. Fewer nodes make for quicker transactions but this can lead to insecurity if any are compromised. A more detailed explanation can be found in Ronin’s statement. The team has confirmed that the attack was an external breach and that it was “socially engineered.”

Perhaps the most striking part of this story is that the money was taken six days before Ronin made an announcement. The theft went completely unnoticed until a user tried to withdraw their funds, couldn’t, and filed a support card. Cryptocurrencies have since risen across the board, dragging the value of the stolen funds even higher. The user was only trying to withdraw 5 ETH and must have had no idea what their support request would uncover.

Some have accused Ronin of ignoring prior warnings. Screenshots appear to show a user named BowTrix flagging a huge withdrawal on Discord, initially accusing the company of rugging. Rather than triggering an investigation, the user was removed. When they raised the issue again via direct message they were told to see a psychiatrist and blocked. Exchanges like these are, of course, impossible to verify and the slapstick tone used might explain why the user wasn’t taken seriously. Nonetheless, it’s further bad publicity.

Ronin scrambles to respond

As well as halting Ronin Bridge and Katana Dex, the company announced that it’s working with law enforcement, forensic cryptographers and investors. They pledge to recover the funds and reimburse the community, but as more time passes without any meaningful developments, users are getting disgruntled. One remarked that Ronin’s latest update (published via Substack) seemed shallow given the seismic nature of the exploit.

The theft was large scale enough to find its way into mainstream news outlets including the BBC and CNN. Make no mistake: this moment will go down in crypto history and have long lasting implications. It brings the amount of stolen crypto up to around $2 billion this year alone. Whether any of the Ronin funds will be recovered remains to be seen, but attacks like this usually take months if not years to resolve.

An analysis conducted by PeckShield shows the transit of the stolen funds between wallets. Starting on March 23rd, the attacker began slowly converting their USDC into ETH. On March 30th they moved the funds to different wallets. Transactions were also made via high profile, centralised wallets; FTX, Huobi and Crypto.Com. Binance has since blocked transactions from wallets apparently associated with the attacker, suspended conversions/withdrawals of WETH and stopped all transactions on Ronin’s network.

Big security lapses

Although Ronin attributed the exploit to social engineering, they did concede that their security protocols were at fault. The attack has its origins as far back as November, when Axie Infinity’s user base began to grow exponentially. To accommodate these new users and cope with demand, the team scaled back its security protocols. The plan was to tighten those protocols when the influx lessened, but it seems that Ronin didn’t completely shut the backdoor. Amongst a general tightening of security, the company will now increase its validator threshold from five to nine.

This kind of lapse is troubling for a network that underpins one of the most popular NFT games. Axie Infinity gives players the chance to pit their cartoon pets (Axies) against each other to earn coins that can be converted into crypto (most commonly ETH). Axie tokens haven’t been affected, but it’s hardly an encouraging moment for a game with such a thriving community. Some players even treat Axie Infinity as a full-time job and earn a healthy wage playing it.

For now, Ronin remains committed to getting the funds back and there’s clearly a large-scale investigation underway, but it’s impossible to predict when or even if they'll be successful. In the meantime, the company has a lot of questions to answer. The attack is big news, with many mainstream outlets using it as an excuse to warn readers against the dangers of DeFi. If crypto and NFTs are to take further steps towards mass adoption, this kind of bad publicity must become a thing of the past. 

Read also: 

Hackers Wanted Dead or Hired

REVEALED: Is This the Man Behind Ethereum’s Biggest EVER Hack?