Ronin’s $612 million hack exposes these vulnerabilities of cross-chain bridges

Screen Shot 2022 03 30 at 1.34.42 PM

For quite some time now, multi-chain or cross-chain technology has become a holy grail in the cryptocurrency development space. People want to transact with other blockchains by leveraging bridges to different ecosystems. For example, Ethereum co-founder and developer Vitalik Buterin tweeted a link to a Reddit post on 8 January, 2022.

He discussed his belief in a multi-chain future but expressed doubt concerning cross-chain ecosystems. In his argument, Buterin cited the “fundamental security limits of bridges” as the key reason for his disapproval of a cross-chain environment.

Although, he didn’t expect hiccups to arise any time soon. But note this – as the volume of cryptocurrency held in bridges grew, the incentive to attack them too. 

Since then, hackers have compromised more than $1B despite such warnings. 

Look away, Vitalik

Ronin Network, an Ethereum-based sidechain created by Axie Infinity developer Sky Mavis is trending for the wrong reason. Hackers stole nearly $600 million worth of Ethereum & USDC tokens from the Ronin Bridge that connected different blockchains.

According to a blog post published by the Ronin Network’s official Substack, the exploit affected Ronin Network validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.

According to an official statement on Tuesday, the attacker “used hacked private keys to forge fake withdrawals” from the Ronin bridge contract in two transactions. Per the blog post, the Ronin sidechain consisted of nine validator nodes.

Five out of the nine validator signatures are required to process a deposit or withdrawal. Indeed, done to prevent hacks of this nature. (For context, Ethereum has around 300,000 validators, while Solana has closer to 1,000)

However, the blog post added:

“The attacker found a backdoor through our gas-free RPC node. They abused to get the signature for the Axie DAO validator.”

The Ronin bridge and Katana Dex got halted after suffering an exploit for 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC). At press time, it would be worth a combined $612 million.

Just a headstart? 

Now, here are some interesting insights into this heist. The said exploit took place on 23 March, only discovered a week later, when one user failed to withdraw 5,000 ETH.

Around 6,250 ether, or $21 million moved out of the attacker’s wallet address, including several ETH transferred to FTX Exchange, according to Etherscan.

Ahead of the exploit, the same wallet interacted with Binance, and other wallets connected to the hacker have since made deposits to FTX and Crypto.com. As per Wu Blockchain, the latest exodus took place as follows:

Next steps

The Ronin team said it had increased the minimum number of validator signatures required for a deposit or withdrawal to eight in response to the incident. Different platforms had showcased support for the affected protocol post suffering this massacre. For instance, Binance’s CEO tweeted:

Major damage: The price of RON, a token used on the Ronin blockchain, dropped about 22% after the hack. AXS, a token used in Axie Infinity, fell around 10.5% simultaneously. As per Bloomberg’s data, this hack stood at number two in terms of crypto hacks (valuation). 

Source: Bloomberg

At the time of publication, most of the hacked funds are still sitting inside the attacker’s wallet.