What Happened in the Ronin Bridge Attack

Ronin Network, a critical bridge chain that powers Axie Infinity, was attacked, and this resulted in in a loss of 173,600 Ethereum and 25.5M USDC, equivalent to over $600M. Since the breach occurred on March 23rd, the stolen funds have flowed into FTX, Huobi, and CryptoCom, which have all vowed to take actions to trace the funds.

Binance said it had temporarily suspended withdrawals and deposits on the Ronin Network.

Sky Mavis, the company behind Axie Infinity, said it would compensate online participants who lost funds during the attack against Ronin’s systems.

Stolen Funds Mostly Remain Unmoved

According to the analysis conducted by PeckShield Inc, a blockchain security and data analytics company, the hacker’s main address “0x098B716B8Aaf21512996dC57EB0615e2383E2f96” contained a negligent amount of ETH. That acted as the fee for its later transactions to multiple wallets on centralized exchanges.

Later, the attacker transferred the funds to multiple unknown wallets. They used those to send 1,220 ETH to an account on FTX, 3,750 ETH to three Huobi addresses, and 1 ETH to a CryptoCom wallet. However, most of the funds are still remaining at the hacker’s main address.

Here comes an initial flow chart @Ronin_Network! Hope it helps to recover the stolen funds! @binance @HuobiGlobal @FTX_Official @SBF_FTX @cz_binance @MultichainOrg https://t.co/N660QtFukP pic.twitter.com/ABWktFpOPx

— PeckShield Inc. (@peckshield) March 30, 2022

Mistracker’s on-chain analysis revealed that the hacker has gradually converted 25.5M USDC to ETH since March 23th, but only until March 28th at 2:30:38 did they begin to move the funds to different addresses. As of March 30th, there was a total of over 180 ETH sitting in four wallets under the attacker’s control.

To support the investigation of the incident, Binance blocked addresses by the potential hacker and had suspended all deposits and withdrawals on the Ronin Network since March 29th. The company also announced that “withdrawals of Wrapped Ether (WETH) on the Ethereum network, and the convert function from WETH to ETH” are being paused.

Aleksander Larson, The COO of Axie Infinity, tweeted that the “internal network is currently going through a deep forensics review to ensure there is no lingering threat.” He also admitted that it was a “social engineering attack combined with a human error from December 2021” that led to the incident.

3/4

We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action.

— Psycheout – Aleksander | Axie Infinity (@Psycheout86) March 30, 2022

Cross-Chain Security issues

As reported by CryptoPotato yesterday, since five out of nine validator nodes on the Ronin Chain are required to initiate a deposit or a withdrawal, the perpetrator may have managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO.

The attacker was reportedly completed by locating a backdoor through Ronin’s “gas-free RPC node,” which was used to compromise the Axie DAO validator node. Currently, the validator threshold for withdrawals has been raised to eight out of nine for strengthening the network security.