The Ethereum based bridge Ronin was hacked for $600 million in digital assets or 173,600 ETH and $25 million in USDC. This attack has become the largest in the history of decentralized finances (DeFi), surpassing the Poly Network hack which also exploited a bridge-rooted vulnerability.
Related Reading | BadgerDAO Pulls A Poly Network As It Begs Hacker To Return Stolen Crypto
The team behind Ronin posted a preliminary analysis of the attack and the security measures they took to prevent further losses. According to the post, trading activity across the decentralized exchange (DEX) Katana and Ronin has been halted.
In addition, Ronin claimed they are currently working with enforcement officials and others experts to “recovered or reimbursed” all funds. Funds in AXS, RON, and SLP on the bridge remain secure, as the post clarified.
Bad actors exploited a vulnerability in a series of Ronin validators and an Axie DAO validator which enable them to steal the funds. These were drained from the bridge solution in two transactions. The report added:
The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.
As the post continued, the bad actors managed to take possession of a private key via validators controlled by Sky Mavis and the Axie DAO. The latter was compromised by “abusing” the gas-free RPC node from the Ethereum cross-chain solution.
The Sky Mavis validators were clear to sign Axie DAO transactions from previous cooperation. This provided the bad actors with an additional attack point. The post added:
Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
Ethereum Bridge Hacker Used KYC Exchange
Ronin has increased its validator threshold for transactions from five to eight. This should prevent the short-term risk of further attacks.
The solution will migrate its nodes and will keep its bridge paused across multiple platforms. The bridge will be re-opened when “we are certain no funds can be drained”.
The team behind Ronin will work with on-chain analysis firm Chainalysis to track and monitor the stolen funds. Most importantly, they are talking with Centralized Exchanges (CEX) to block the addresses related to the bad actors.
However, because it took almost a week to discover the hack, the bad actors could have moved a portion of the funds to crypto exchange FTX AND Crypto.com. Sam Bankman-Fried, CEO at FTX, confirmed they are currently investigating, and they will take measures “if/where appropriate”.
An Optimistic Ethereum developer, a scalability solution, Kelvin Fichter commented on the hack after reviewing the report. Fichter believes that Sky Mavis running multiple Ronin nodes was a mistake, and pointed out the difference between this and other hacks:
This is very different from previous bridge hacks where the root cause was a smart contract bug. This is a much more “classical” hack of private keys in a multi-key security setup (…). I think the most fundamental error here was the reliance on validator-based bridges. The Ronin Bridge has a fundamental assumption that a majority of keys cannot be compromised. Clearly this assumption was broken.
Ronin also had a “minimal monitoring and alerting” system which gave the bad actors a head start. This gives the Ronin team a “bad look” but could be used as a security warning for similar solutions.
So some basic takeaways for now:
1. Validator bridges can work IF you have the engineering practices to maintain your security assumptions. This is not trivial.
2. Trust-minimized bridges are harder to build up-front but can be easier to secure down the line.— smartcontracts (@kelvinfichter) March 29, 2022
Related Reading | Why Poly Network Asked Hacker To Become Its Chief Security Advisor
As of press time, Ethereum (ETH) trades at $3,400 with a 17% profit in the last week.