Ronin Network, a critical bridge chain that powers Axie Infinity, was attacked, and this resulted in in a loss of 173,600 Ethereum and 25.5M USDC, equivalent to over $600M. Since the breach occurred on March 23rd, the stolen funds have flowed into FTX, Huobi, and CryptoCom, which have all vowed to take actions to trace the funds.
Binance said it has temporarily suspended withdrawals and deposits on the Ronin network.
Sky Mavis, the company behind Axie Infinity, said it would compensate online participants who lost funds during the attack against Ronin’s systems.
Stolen funds mostly stay still
According to the analysis conducted by PeckShield Inc, a blockchain data security and analytics company, the hacker’s main address “0x098B716B8Aaf21512996dC57EB0615e2383E2f96” contained a negligent amount of ETH. This served as a fee for his subsequent transactions to multiple wallets on centralized exchanges.
Later, the attacker transferred the funds to multiple unknown wallets. They used those to send 1,220 ETH to an account on FTX, 3,750 ETH to three Huobi addresses, and 1 ETH to a CryptoCom wallet. However, most of the funds are still remaining at the hacker’s main address.
Mistracker’s on-chain analysis revealed that the hacker gradually converted 25.5 million USDC into ETH since March 23, but it wasn’t until March 28 at 2:30:38 a.m. that they started transferring the funds to different addresses. As of March 30, there was a total of over 180 ETH sitting in four wallets under the control of the attacker.
To support the investigation of the incident, Binance blocked addresses by the potential hacker and had suspended all deposits and withdrawals on the Ronin Network since March 29th. The company also announced that “withdrawals of Wrapped Ether (WETH) on the Ethereum network, and the convert function from WETH to ETH” are being paused.
Aleksander Larson, the COO of Axie Infinity, tweeted that “the internal network is currently undergoing a thorough forensic review to ensure there is no lingering threat”. He also admitted it was a “social engineering attack combined with human error from December 2021” that led to the incident.
Cross-Chain Security issues
As reported by CryptoPotato yesterday, since five out of nine validator nodes on the Ronin Chain are required to initiate a deposit or a withdrawal, the perpetrator may have managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO.
The attacker was reportedly completed by locating a backdoor through Ronin’s “gasless RPC node”, which was used to compromise the Axie DAO validation node. Currently, the validator threshold for withdrawals has been raised to eight out of nine to enhance network security.
