The latest victim of cryptocurrency attacks is Ronin Network. 173,600 in Ethereum (ETH) and 25.5 million in US dollars disappeared in two transactions a week ago. Ronin Network said it only found out about this when a user wanted to withdraw 5,000 ETH on Tuesday but was unable to.
“ETH and USDC deposits on Ronin have been deducted from the bridge contract. We work with law enforcement, forensic cryptographers and our investors to ensure there is no loss of user funds. This is our top priority at the moment,” the network said.
Ronin announced the game Axie Infinity in mid-2020, developed by Vietnamese blockchain game maker Sky Mavis. Back then, the studio advertised that Ronin was able to overcome congestion on the Ethereum network.
“In order to secure Ronin, we have recruited a number of partners from the traditional gaming, crypto and non-fungible token industries to serve as validators of our network,” it said at the time.
In the hack, the attacker gained control of four validators operated by Sky Mavis and one operated by Axie DAO. “The attacker found a backdoor through our gasless RPC node, which they abused to obtain the signature for the Axie DAO validator,” explained Ronin Network.
“This dates back to November 2021 when Sky Mavis asked the Axie DAO for help to distribute free transactions due to an immense user load. The Axie DAO allowed Sky Mavis to sign various transactions on their behalf. This was discontinued in December 2021 but access to the allow list has not been revoked.”
In response, the Ronin Bridge and Katana Dex exchange were halted, the number of validators increased to eight, and the security teams of major crypto exchanges were contacted. Luckily for those trying to trace funds, using blockchain means transactions can be traced. In the case of the attackers, the step of laundering the funds through a coin tumbler appears to have been skipped and they were transferred directly to the FTX exchange.
Flora Li of the Huobi Stock Exchange Research Institute said the hack was the result of trying to strike a balance between user experience and security. “Axie Infinity exploded in popularity and saw a rapid influx of users on the Ronin blockchain. They took shortcuts to remove network bottlenecks and reduced the number of nodes that needed to be validated for transactions to just five nodes out of nine, making it easier for hackers to exploit them,” Li said. “Sky Mavis has while promised to increase the number of nodes required to eight, that still doesn’t solve the fundamental problem of how proof-of-stake blockchains can keep transactions fast, user-friendly, and energy-efficient without compromising security.”
Earlier this year, Crypto.com said 483 of its users were affected by an attack that drained over $31 million in coins. “In the majority of cases we were able to prevent the unauthorized withdrawal, and in all other cases customers have been fully compensated,” the company said at the time. “The unauthorized withdrawals totaled 4,836.26 ETH, 443.93 Bitcoin (BTC) and about $66,200 in other cryptocurrencies.”