According to Axie Infinity's official Discord and Ronin Network's official Twitter thread, along with its Substack page, the Ronin bridge and Katana Dex have been halted after suffering an exploit for 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC), worth a combined $612 million at Tuesday's prices. In a statement, its developers said they are "currently working with law enforcement officials, forensic cryptographers and our investors to make sure that all funds are recovered or reimbursed. All of the AXS, RON and SLP [tokens] on Ronin are safe right now."
As told by Ronin developers, the attacker used hacked private keys in order to forge fake withdrawals, draining the funds from the Ronin bridge in just two transactions. More importantly, the hack occurred on March 23 but was only discovered on Tuesday after a user allegedly uncovered issues after failing to withdraw 5,000 in ETH from the Ronin bridge. At the time of publication, RON, Ronin's primary governance token, has fallen nearly 20% to $1.88 in the past hour.
Sky Mavis’ Ronin chain currently consists of nine validator nodes, of which at least five signatures are needed to recognize a deposit or withdrawal event. The attacker managed to gain control over five private keys, consisting of Sky Mavis’s four Ronin validators and a third-party validator run by Axie Decentralized Autonomous Organization, or DAO. Obtaining unauthorized access to the latter was especially time-consuming.
Last November, when Sky Mavis, the developer of the Axie Infinity and Ronin ecosystems, requested help from the Axie DAO, to distribute free transactions due to a surge in the number of users. The Axie DAO whitelisted Sky Mavis to sign various transactions on its behalf, and the process was discontinued in December. However, access to the whitelist was not revoked.
Once the attacker obtained access to Sky Mavis systems, they acquired the final signature from the Axie DAO validator, thereby completing the node threshold required for the illicit siphoning of funds from Ronin. At the time of publication, most of the hacked funds are still sitting inside the attacker's wallet.