link.png

ID:

ronin-network-12

Date:

Status:

Incident Count:

March 29, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

None

Loss Amount:

625,000,000

info.png

Recovered:

5,800,000

Rewards:

Currency:

USD, ETH, USDC

info.png

The gaming-focused Ronin Network announced Tuesday a loss of over $625 million in USDC and ether (ETH).
According to a blog post published by the Ronin Network’s official Substack, the exploit affected Ronin Network validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.

An attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge across two transactions, as seen on Etherscan.

While the Ronin sidechain has nine validators requiring five signatures for withdrawals and is meant to protect against these types of attacks, the blog post notes that “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.” The hacker was able to obtain 5 keys which were sufficient to execute the hack. The hack took place on March 23 and was not reported until March 29 when a user attempted to withdraw 5000 ETH from the bridge.

The blog post pegged the losses at 173,600 ether and 25.5 million in USDC, currently worth in excess of $625 million.

Update 4/19:
The FBI has confimed that North Korean hackers or the Lazarus Group were responsible for the theft.

Updated 4/22
Binance reported that the company recovers $5.8 from the stolen funds as the exploited attemtped to launder through the exchange.

Updated 5/3
Peckshield reported that Over 90% of the stolen funds have been transferred out of the exploiter's wallet, including ~71,000 $ETH ($213m) already laundered via Tornado.Cash

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.