Axie Infinity’s Ronin Network suffers largest hack in DeFi history

Ronin Network’s loss of $625 million in Ether and USDC tokens highlights existing weaknesses in centralised cross-chain bridge solutions.

On March 23, 2022, hackers stole around $625 million (around £476 million) from the blockchain connected to the popular Axie Infinity online game. According to Ronin Network, the incident affected Ronin validator nodes for Sky Mavis and the Axie Dao. Losses are pegged at 173,600 Ether and 25.5 million in USDC.

But how did this happen? And what lessons can be learnt from what is thought to be one of the largest hacks in decentralised finance (DeFi) history?

How was Ronin Network hacked?

To understand how this security breach happened, you need to understand how the Ronin blockchain works. It is a side chain secured by 9 validators and you need 5 signatures for a withdrawal.

In this instance, the attackers got access to the system that operates 4 of the nodes and found a bug to access another node. According to Ronin “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator”.

At the time of writing, the Ronin Bridge and the Katana automated market maker (AMM) have both been paused while investigations are ongoing. Co-founder and COO of Axie Infinity, Aleksander Leonard Larsen, has since tweeted that the company is “committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action”. While Larsen has said this will be “as soon as possible” there is no clear timeline as to when this will happen just yet.

What lessons can be learnt?

Vitalik Buterin, co-founder of Ethereum, previously called out the security limits of cross-chain bridges. While a cross-chain ecosystem allows users to mitigate the expense of using the mainnet, there are critical security concerns. Storing native assets directly-chain (Ethereum on Ethereum) provides a certain degree of immunity against 51% attacks. This same level of security doesn’t apply to cross-chain bridges.

Experts are speculating that Ronin took shortcuts in order to handle the huge influx of users when Axie Infinity exploded in popularity in November 2021. Kadan Stadelamn, CTO of Komodo, commented “The Ronin hack shows why centralised cross-chain bridge solutions may threaten the adoption of cryptocurrencies. Having only 9 validators for the Ronin bridge and 4 belonging to the same person is concerning.”

The weaknesses in Ronin’s security suggest that some projects have been unable to keep up with demand for their product – leaving them open to attacks. This hack has cemented the opinion that bridges are rife with problems.

When purchasing crypto, it is important to understand how the blockchain network you are using works and what processes are in place. Warning bells should go off in your head if the identity of the validators is unclear and if user funds are pooled in one wallet address.

In-game tokens suffering

The in-game tokens that power Axie Infinity initially saw losses after the hack was revealed. Axie Infinity Shards (AXS) was down 7.3% on Wednesday, March 30, but has since rallied to $65.58 (£49.96), according to CoinMarketCap.

Meanwhile, Smooth Love Potion (SLP) has fared slightly better. After initially dropping to $0.02009 (£0.015), its price as of Thursday, March 31 is up 4.11% in the last 24 hours at $0.021226 (£0.016).