Ronin Network Ethereum theft is ‘largest-ever DeFi exploit,’ investigator says

The $620 million stolen from Sky Mavis’ Ronin Network — mostly in Ethereum (ETH) cryptocurrency — ranks as the largest decentralized finance (DeFi) theft in history, according to a firm that is investigating the incident.

Sky Mavis disclosed Tuesday that the Ronin Network, which supports its Axie Infinity game, has been hacked. The thieves stole 173,600 in Ethereum cryptocurrency, equivalent to $594.6 million, along with $25.5 million in U.S. dollars for a total of $620 million in stolen funds.

Chainalysis, which offers crypto compliance and investigation software, said on Twitter that the theft amounts to the “largest-ever DeFi exploit.”

“We can confirm Chainalysis is tracking the funds on their behalf,” the company said. “This is an active investigation and we will provide updates when possible.”

VentureBeat has reached out to Chainalysis for any further available details on the investigation.

Cryptocurrency intelligence firm Blockchain Intelligence Group said in an email that among the stolen funds, 4,970 ETH ($16.9 million) “has already moved to exchanges,” as of Noon PST Tuesday.

Security breach

Sky Mavis said the theft occurred in connection with a security breach of the Ronin Network, in which the attacker utilized “hacked private keys” to facilitate withdrawals of ETH and U.S. funds.

“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds,” Sky Mavis said.

From the Sky Mavis statement:

Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions. The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.

The attack was made possible in part by access permissions that should have been revoked, but weren’t. In November, the Axie DAO (Decentralized Autonomous Organization) “allowlisted Sky Mavis to sign various transactions on its behalf,” Sky Mavis said in the statement. “This was discontinued in December 2021, but the allowlist access was not revoked.”

In a tweet, Veracode cofounder and CTO Chris Wysopal said that “a case of not revoking permission which kept open authorized attack surface can be very expensive in the crypto world.”

Blockchain-based security implications

If Sky Mavis can’t recover the funds, that’s a huge hit to its overall treasury and a black eye for blockchain-based security, GamesBeat reported today. The reason for putting the Axie Infinity game on the blockchain is to enable better security, GamesBeat noted.

Sky Mavis uses the blockchain to verify the uniqueness of nonfungible tokens (NFTs), which can uniquely authenticate digital items such as the Axie creatures used in Axie Infinity.

NFTs exploded in popularity last year and helped enable Sky Mavis to raise $152 million at a $3 billion valuation in October.

On its crypto heist tracking page, Comparitech also said that the Ronin Network theft now ranks as the largest such theft to date, surpassing the $610 million theft from the Poly Network in August 2021.

Chainalysis said that crypto theft had already been surging. The firm tweeted that $3.2 billion in cryptocurrency was stolen overall in 2021, which is six times the amount that was stolen the year before.

Of the amount stolen in 2021, $2.3 billion was stolen from DeFi platforms, Chainalysis said.