In the largest DeFi hack in history, attackers emptied the Ronin Bridge and Katana Dex to make off with an eye-watering 173,600 ETH and 25,500,000 USDC. Ronin and Katana are infrastructure that support Sky Mavis’ wildly popular play-to-earn blockchain game Axie Infinity.
The exploit actually occurred 6 days ago (March 23) but was only discovered today (March 29) when a user was unable to withdraw 5k ETH from the bridge.
Sky Mavis responded by disabling the Ronin Bridge to avoid any further hacks. Binance followed suit, disabling their bridge to Ronin. Sky Mavis also shut down their internal Katana DEX since no more funds can be deposited into the ecosystem.
It is unclear to what extent user funds were among those hacked. Sky Mavis announced in a blog post that they “are committed to ensuring that all of the drained funds are recovered or reimbursed.”
RON, AXS, and SLP within the ecosystem are likely safe from any similar hacks. Although not safe from a potentially enormous loss of value once the bridge reopens and panicked users sell and exit the ecosystem.
How did the attacker pull off the hack?
Sky Mavis’ Ronin chain is highly centralized; it consists of nine validator nodes. The attacker initially gained access to all four Sky Mavis Ronin validators. They then exploited a backdoor through Sky Mavis’ gas-free RPC node to get the signature for the Axie DAO validator, bringing them to the 5/9 threshold they needed to validate withdrawals through the bridge. Sky Mavis explained that the threshold was so low because “some nodes didn’t catch up with the chain, or were stuck in a syncing state.”
What will happen to the stolen funds?
The 25.5 million in USDC has been withdrawn, along with 6250 of the 173,500 ETH, but the majority of the ETH is still in the attacker’s wallet. This is a bit odd; the typical play after hacking funds is to run them through privacy mixers such as Tornado Cash and/or privacy coins such as Monero to prevent the funds from being tracked and frozen. With such a large hack, the attacker in this case may have wisely concluded that even with what turned out to be a six day head start, they would be unable to cash out or even hide $500+ million without being identified by law enforcement. Their plan is likely to negotiate with Sky Mavis.
Crypto hacks are different from bank robberies. They involve somewhat less police and significantly more tweeting.
The first order of business for any victim of a major crypto hack is to attempt to dox, or determine the identity, of their attacker. An identified attacker can be reported to law enforcement and arrested. This may lead to the recapture of the stolen funds depending on the attacker’s wallet security, or at the least puts the attacker in prison where they are unable to get much use out of $600 million in crypto beyond bragging rights.
The other way victims can block attackers post-hack is to work with the relevant blockchain network to freeze the funds before they can be cashed out. Networks are often willing to freeze funds in high–profile hacks (and $600+ million is certainly high profile!), preventing the hacker from accessing their ill-gotten gains but not returning them to their original owner. This is unhelpful for both sides.
As such, victims of large hacks often negotiate with attackers. If they are able to dox the attacker, the attacker will often hastily return the funds with a “haha I was just kidding…!” message in exchange for not going to the police. No harm, no foul in crypto!
If the funds are frozen but the attacker is not identified, it’s typical to legitimize (and unfreeze) 5-10% of the stolen funds as a bounty for “finding an exploit” in exchange for the return of the rest. This leads to often comical scenarios where the attacker and victim both post public comments about how it was a white hat hack all along and the attacker never had any intention of keeping the funds. This is especially funny to watch before the two sides have agreed on the bounty terms.
In all likelihood, Sky Mavis will negotiate the return of most of the hacked funds in the next week or two, while the attacker will retain enough to retire to a life of luxury. Possibly in a non-extradition country.
Has currency on Ronin lost value?
There are two methods of getting ETH or USDC into the Ronin sidechain - the main Ronin bridge, and a bridge that Binance set up. The way bridges work is that you deposit your ETH with the bridge to receive an equal amount of wETH (wrapped ethereum) that you can spend as you please on the sidechain. Same concept for USDC. Your original ETH (on the ethereum mainnet) sits in the bridge's pool so that players who want to cash out their wETH for regular ETH can do so.
Unless, of course, the entire pool was drained by an attacker.
Sky Mavis doesn't have that original ETH or USDC anymore. If they can't get it back or raise $600 million to replace it, wETH and USDC on Ronin no longer has any backing. It's worthless monopoly money that can't be cashed out of the Ronin ecosystem. Users' only chance in this scenario would be to bridge their funds back to the ethereum mainnet via the Binance bridge once it reopens, since it still has its funds. However, the Binance bridge only has a small portion of the total ETH and USDC put into the Ronin chain, so only the quickest users would be able to cash out via this pathway.
Axie deflationary governance token AXS and inflationary in-game currency SLP have only dipped a small amount in the few hours after the announcement of the hack. RON, the ecosystem token intended for gas fees, took a harder hit.
The tepid response from AXS and SLP is not surprising; because the bridge is disabled, users physically cannot withdraw their funds back to the ethereum mainnet. A forced hodl is very effective in keeping prices stable. If it turns out Sky Mavis can't refund the bridge, prices will likely collapse as people assume that Axie is doomed. Even if they can, there may be a substantial drop in price once people regain the ability to sell.
What will happen to Axie Infinity?
What happens once the bridge is reopened will depend on whether most of the funds have been recovered. If Sky Mavis is able to recover most of the funds, prices may not dip beyond typical wild swings in crypto.
If it turns out that Sky Mavis will be unable to recover the hacked funds, they will need to obtain enough money to restore liquidity for bridge transfers. This scenario could be disastrous for Sky Mavis, as most transfers would be exchanging collapsing AXS/SLP/RON for Sky Mavis’ ETH or USDC.
The money (e.g. USDC and ETH) being cashed out by investors and scholars in Axie Infinity is necessarily equal to the amount of money put into the ecosystem. The value of Axie’s currency and corresponding profitability for Axie users depends on a constant influx of money from new players and from investors putting more money in. Axie is thus particularly vulnerable to a “bank run” in which users selling out decrease the earnings of remaining users, triggering them to leave as well. Sky Mavis will likely take drastic steps to prevent this from happening, but ultimately users need to trust the developers to continue investing in Axie.
If it turns out that, like so many crypto hacks, this was an inside job, trust may be irrevocably lost.
This could be the beginning of the end for Axie.
Probably not though.