- The Blockchain Weekly
- Posts
- The Ronin Hack
Here's what happened
Hackers stole $625 million from Ronin, which is the blockchain network that supports Axie Infinity, the hugely popular online crypto game. The hacker drained the Ronin bridge of 173,600 Ether and 25.5 million USDC in two transactions.
The Ronin team say the hack started in November 2021, when Axie Infinity's user base grew to an unsustainable size. This forced the company to loosen its safety standards to deal with the influx of demand. Things calmed down for a while after this period of explosive growth, but the company forgot to re-tighten its safety procedures.
Bridges
Bridges are software that can be used to convert tokens into ones that can be used on another network. Bridges have often been the source of problems and this hack adds strong evidence to support this narrative. The code supporting many bridges has not been audited, and often the identities of validators are not clear.
9 Validator Nodes...Decentralised in Name Only
The main problem here was that the network was not decentralised enough. Ronin is developed by a game studio called Sky Mavis. Sky Mavis' ronin chain uses only 9 validator nodes, and the hacker was able to hack into 5 of them by gaining access to the private keys of these 5 validator nodes. As soon as the hackers gained access to 5 nodes, they had access to over 50% of the network and could validate any transactions they wanted to. They forged fake withdrawals and stole ETH and USDC. The more decentralised a network is, the harder it is to take control of more than 50% of the validator nodes, and the safer the network is
The Hack took six days to discover
The hack actually occurred on March 23rd, but the missing funds went by unnoticed until March 29th, when a customer was unable to withdraw their funds.
The one who discovered it before everyone else
The first person to discover this hack went and told ... no one. Their chosen course of action was to quietly short Ronin (bet on the price to go down). But unfortunately for them, it took everyone else SIX DAYS to discover the hack. Because it took so long, they were liquidated out of their position and did not make any money. Why didn't this person alert people to the hack once they had shorted Ronin? Because that would have been even dodgier than what they were doing already.
Or there's another theory
That this was the hacker trying to double-dip. Some say the hacker hacked the network and then shorted Ronin themselves. That would explain why they didn't alert anyone about the hack themselves, after they had taken on the short position.
Where are the funds now?
This is the beauty of the blockchain. Most of the funds are still in the hacker's wallet. You can see it here!
Another ironic thing about this whole situation is that these folks were smart enough to pull off a heist worth $600 million + and then stored their winnings on... centralised exchanges. So now they are going to face a tough time getting those stolen funds out. Not only this, but these exchanges often have Know your Customer (KYC) verification checks, which could be used to uncover the identity of these hackers.
A more common (maybe smarter?) strategy for hackers is to use exchanges that don't have any KYC in place and not try to cash out too much too quickly, as this would raise suspicion.
In any case, getting these funds out will be a very difficult job. There was a case last year where a hacker hacked the Poly network for $611 million, but eventually returned the funds when they realised there was no way of getting them out.
Where does this leave us?
This is the largest crypto hack in history. There were certainly shortcomings when it came to the security systems in place, but that's not going to stop people from questioning the safety of blockchain networks in general. The world will be watching closely to see if these hackers can get their ill-gotten gains out of the system. If they can, this may encourage generations of future hackers. Will they be able to do it? We can only sit back and watch how this plays out...