Private key leaks for five Bridge validators, hacking by Lazarus Group
Days in Operation:
100 pts each
The gaming-focused Ronin Network announced Tuesday a loss of over $625 million in USDC and ether (ETH).
According to a blog post published by the Ronin Network’s official Substack, the exploit affected Ronin Network validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.
An attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge across two transactions, as seen on Etherscan.
While the Ronin sidechain has nine validators requiring five signatures for withdrawals and is meant to protect against these types of attacks, the blog post notes that “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.” The hacker was able to obtain 5 keys which were sufficient to execute the hack. The hack took place on March 23 and was not reported until March 29 when a user attempted to withdraw 5000 ETH from the bridge.
The blog post pegged the losses at 173,600 ether and 25.5 million in USDC, currently worth in excess of $625 million.
The FBI has confimed that North Korean hackers or the Lazarus Group were responsible for the theft.
Binance reported that the company recovers $5.8 from the stolen funds as the exploited attemtped to launder through the exchange.
Peckshield reported that Over 90% of the stolen funds have been transferred out of the exploiter's wallet, including ~71,000 $ETH ($213m) already laundered via Tornado.Cash
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.