A record-breaking sum of 624 million USD was stolen through a consensus attack on Axie Infinity’s Ronin Network.
Rekt leaderboard gets new top spot
According to Rekt.news, the hack remained unnoticed for six days and was only discovered yesterday, after a user was unable to withdraw ~5,000 ETH from Ronin’s cross-chain bridge. This means that the Rekt leaderboard, which lists the largest DeFi hacks in the order of the stolen amount, just witnessed a new record. This hack just barely surpassed the Poly Network hack of August 2021, during which a total of 611 million USD was stolen.
Rekt denotes 0x098b716b8aaf21512996dc57eb0615e2383e2f96 as the wallet address used by the attacker. Apparently, the wallet was initially funded by a Binance account and a part of the stolen amount has been transferred to FTX and Crypto.com. Via Twitter, Ronin stated that all three exchanges are willing to cooperate with them and that they are working with law enforcement officials, forensic cryptographers, and their own investors in an attempt to recover the stolen funds.
Was Ronin too centralized?
Ronin Network was launched as an Ethereum sidechain in January 2022, in order to provide gas-free transactions for Axie Infinity and other play-to-earn games. The sidechain operated under a Proof-of-Authority consensus mechanism with just nine validators, out of which four validators were controlled by Sky Mavis.
Since blocks on Ronin only needed a simple majority consensus, this meant that the attacker only needed to compromise the Sky Mavis nodes and another one to take full control over the network. To make matters even worse, another validator, which is operated by Axie DAO, had whitelisted Sky Mavis to sign blocks on their behalf between November and December 2021. However, this permission was never revoked, which gave the hacker the necessary consensus majority, according to Ronin’s community alert.
The alert states that the consensus threshold has now been increased to eight out of nine validators, but this move comes way too late to prevent the worst-case scenario. Earlier this month, the blockchain auditing firm CertiK warned about exactly these issues, saying that centralization risks are the most common DeFi vulnerability. Rekt also concluded that this case shows the importance of decentralization, adding:
This theft will be remembered not just for its size, but for the surreal lack of awareness shown by the Ronin team. It seems unthinkable that their key infrastructure was not monitored, with the only alert coming from a concerned user days later.