Sky Mavis Promises Compensation To Victims Of The $624M Ronin Hack
Ronin network that powers Axie Infinity suffered the largest DeFi hack in the history of crypto, with over $624 million in ETH and USDC stolen from a critical blockchain bridge.
The actual breach occurred on March 23rd, the stolen funds have flowed into FTX, Huobi, and CryptoCom, which have all vowed to take actions to trace the funds. Binance said it had temporarily suspended withdrawals and deposits on the Ronin Network.
Sky Mavis, the company behind Axie Infinity, said it would compensate online participants who lost funds during the attack against Ronin’s systems.
Aleksander Larsen, the COO of Axie Infinity, announced on Twitter that the Sky Mavis cybersecurity team is reviewing what happened, and revealed that it was a “social engineering attack combined with a human error from December 2021.”
2/4
This was a social engineering attack combined with a human error from December 2021. @SkyMavisHQ tech is solid and we will be adding several new validators to @Ronin_Network shortly to further decentralize the network.
A blockchain bridge is a connection that allows the transfer of tokens from one chain to another. Both chains can have different protocols, rules and governance models, but the bridge provides a compatible way to interoperate securely on both sides. For example swapping Ether on Ethereum for “Wrapped Ether” on Ronin.
Blockchain bridges are attractive for hackers to target in an otherwise “decentralized” ecosystem. Ethereum founder Vitalik Buterin wrote earlier about why the future of crypto may be “multi-chain” but not “cross-chain” due to the security vulnerabilities of these bridges.
The hacker gained access to the funds by compromising the private keys of a majority of Ronin’s 9 validator nodes. According to Larsen, many of the funds stolen from the bridge belonged to Axie players, and included Axie Infinity’s Treasury Revenue.
Stolen Funds Mostly Remain Unmoved
According to PeckShield Inc, a blockchain security and data analytics company, the hacker’s main address “0x098B716B8Aaf21512996dC57EB0615e2383E2f96” contained a small amount of ETH, which was used as the fee for its later transactions to multiple wallets on centralized exchanges.
The attacker then transferred the funds to multiple unknown wallets, and used those to send 1,220 ETH to an account on FTX, 3,750 ETH to three Huobi addresses, and 1 ETH to a CryptoCom wallet. However, most of the funds are still remaining at the hacker’s main address.
According to Mistracker’s on-chain analysis revealed that the hacker has gradually converted 25.5M USDC to ETH since March 23th, but only until March 28th at 2:30:38 did they begin to move the funds to different addresses. As of March 30th, there was a total of over 180 ETH sitting in four wallets under the attacker’s control.
Can The Funds Be Recovered?
According to Rishav Rai, the lead investigator for blockchain analyst Merkle Science, the chance of recovery from this hack is low.
“When we look at the biggest crypto hacks and heists out there, it’s very rare that the funds get returned.”
Sam Peurifoy, leader of Axie Infinity’s Kapital DAO, suggested that the company could sell some of its equity to raise the required funds for reimbursement. They could also sell some of their AXS tokens in bulk to the game’s major players at a discount rate, or liquidate funds from its $1.6 billion community treasury.
At the time of writing, Axie Infinity’s native token AXS is trading at $65, down from its weekly high of $74.
