Axie Infinity’s Ronin Bridge Exploited For More Than $600M

The Ronin Bridge that connects Axie Infinity’s Ronin sidechain to Ethereum has been drained of 173,600 ETH ($590M) and 25.5M USDC in what may be DeFi’s biggest exploit yet.

The Ronin team announced the exploit on Twitter along with a post-mortem that notes the team discovered the attack earlier today when a user tried to withdraw 5,000 ETH from the bridge.

Validators Compromised

The Ronin network is currently secured by nine validators. Five signatures are needed to approve any deposit or withdrawal transactions from the Ronin bridge.

According to the post-mortem, the attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO. Sky Mavis’s private keys were hacked, and the attacker used them to “forge fake withdrawals.”

In the wake of the exploit, security procedures have been changed to require eight out of night signatures to approve bridge transactions.

Etherscan records show that the bridge was drained six days ago on Mar. 23.

This begs the question: How did over half a billion dollars in assets go missing for a week without anyone noticing?

Even stranger, security researcher Igor Igamberdiev noted that the exploiter has been sending ETH to crypto exchanges including FTX and Crypto.com.

As these centralized exchanges require users to disclose their real identities as part of their KYC procedures, it’s rare to see hackers using them to move their ill-gotten gains.

The Ronin team has confirmed that all ETH and USDC deposits on the bridge have been drained and says that other assets are safe. These include AXS, RON and SLP. Reaction in the DeFi community started coming in through the day.

“This is a major disappointment,” Robert Leshner, the founder and CEO of Compound, tweeted. “Hopefully the users of this bridge are able to recover their funds quickly. This is also an indictment against the security architecture of multi-sig bridges — again.”

The post-mortem goes on to say that the team is working with law enforcement officials, forensic cryptographers, and investors to make sure there is no loss of user funds. Sky Mavis, the company behind Axie Infinity and Ronin, has committed to ensuring that all of the drained funds are recovered or reimbursed.