The king is dead, long live the king…
This week, Ronin Network was hacked for for ~$624 million, thus becoming the largest DeFi protocol hack in history and toppling Poly Network’s record hack of $611 million.
The craziest part though? Although more than $600 million (!!) was stolen, nobody noticed it for six days. And that’s where things get interesting. But first, some history.
What Is Ronin Network?
Flash back to July of 2021 and everyone was screaming about the growth of a Pokémon-like game called Axie Infinity that was doing billions of dollars in volume. The only problem was that network fees were many times higher than those charged by most crypto apps. Enter Ronin, which was launched as an Ethereum side-chain to provide Axie users fast and cheap transaction throughput.
How’s the Network Work?
Simply put, the network is secured by nine validators who are used to approve of any deposit or withdrawal event. Of these nine validators, five of them (a majority) must be in consensus to approve a transaction. Pertinent to this story though, four of the nine validators are operated directly by the Sky Mavis (the makers of Axie) team.
What the Ronin team thought was their security ended up being their downfall. It turns out the hacker was able to compromise the Sky Mavis validators. But that was only four of the five needed. Although we don’t know how the hacker gained access to the Sky Mavis validators, we do know how they gained access to the fifth which you can learn about here. Once the hacker had a majority of the validators it was time to begin the attack, stealing 173,600 ETH and 25.5M USDC to this Ethereum address.
The Icing on the Cake:
As Rekt News put it:
“This theft will be remembered not just for its size, but for the surreal lack of awareness shown by the Ronin team.”
Although more than half a billion dollars of crypto was drained from Ronin, it took a full six days and an alert from a user, before the team realized the money was gone.
It just goes to show once again that many of the decentralized projects out there are decentralized in name only. Since the attack, Ronin has announced that are now requiring eight of nine validators to approve any event in an attempt to become more decentralized.
The real question is what becomes of Ronin and Axie Infinity now? Does someone bail them out like the Wormhole attack, or does Axie try to replenish the funds from their own accounts? If the latter, it may be tough as Axie’s daily revenue is significantly lower than where it was only three months ago… and this hack isn’t going to help.