The newest “crypto” hack may be the biggest ever. The Ronin Network reported a loss of around $625 million USDC and Ethereum on Tuesday.
The exploit targeted Sky Mavis, the publishers of the game, and the Axie decentralized autonomous organization, according to a blog post by the Ronin Network’s official Substack.
According to Etherscan, an attacker “used compromised private keys to generate false withdrawals” from the Ronin bridge.
Axie DAO validator requires five signatures, thus the attacker identified a backdoor through the gas-free RPC node, which they misused to retrieve the signature for the Axie DAO validator.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the report reads.
In all, the blog post estimated the losses at 173,600 ether and $25.5 million USDC.
“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load,” it continues. “The Axie DAO ‘allowlisted’ Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the ‘allowlist’ access was not revoked.”
In August 2021, a hacker stole $611 million from the Poly Network cross-chain decentralized financial system.
The Ronin attacker’s Ethereum address is new, having received ETH from Binance a week ago. The hack occurred on Wednesday, according to Etherscan.
The attacker’s address still possesses the majority of the assets, although 6,250 ETH has been moved elsewhere.
Both the Ronin Bridge and the Katana AMM have been halted pending investigations.
This is why Proof-of-Work and true decentralization are so vital, and why there is no second best to Bitcoin.