TL;DR
- Ronin Bridge Hacked: The Ethereum sidechain Ronin Bridge, crucial for transferring assets in the popular play-to-earn NFT game Axie Infinity, suffered a breach. Malicious actors stole 3,996 ETH (approximately $9.33 million).
- Whitehat Reports and Governance Concerns: Security firm PeckShield confirmed the hack, prompting a pause in operations. Ethical hackers suspect a Maximal Extractable Value (MEV) exploit. This isn’t the first attack on Ronin Bridge, which lacks true decentralization.
- Bridges Under Fire: The Ronin Bridge joins a list of high-profile bridge hacks. In March 2022, hackers took $624 million. Other bridges, like BNB and Wormhole, also faced significant exploits.
Ronin Bridge, an Ethereum sidechain integral to the popular play-to-earn non-fungible token (NFT) game Axie Infinity, has fallen victim to a significant hack. The breach resulted in the loss of 3,996 Ethereum (ETH), valued at approximately $9.33 million.
#PeckShieldAlert @Ronin_Network #whitehacked? or Hacked? (w/ ~ $9.33M) pic.twitter.com/wfaY0zhVdI
— PeckShieldAlert (@PeckShieldAlert) August 6, 2024
Players utilize the Ronin Bridge to transfer assets between the Ronin chain and the Ethereum network. However, this essential bridge has now become the target of malicious actors.
Halted Operations and Whitehat Reports
On-chain security firm PeckShield confirmed the breach, prompting Axie Infinity co-founder and chair Aleksander Leonard Larsen to suspend operations. The pause allows for thorough investigations, with reports from ethical hackers pointing to a potential Maximal Extractable Value (MEV) exploit.
The @Ronin_Network bridge has been paused while we investigate a report from whitehats about a potential MEV exploit.
We will follow up with more information shortly.
The bridge currently secures over $850M which is safe https://t.co/lUjIIgb1DD
— Psycheout.ron (@Psycheout86) August 6, 2024
This isn’t the first time the Ronin Bridge has faced security challenges. In 2022, the Ethereum sidechain suffered a staggering $600 million attack when hackers gained access to private keys for its validator nodes. This compromise affected five validator nodes, the minimum required for transaction approval.
To mitigate the impact, project developers raised $150 million to reimburse affected users. Subsequently, they temporarily closed the Ronin Bridge, only to reopen it months later.
Governance Questions
The series of attacks raises questions about the network’s governance. Notably, the Ronin Bridge lacks true decentralization, the team serves as the sole validators and bridge operators. Despite the breach, the Axie Infinity (AXS) token has shown resilience, rising 9% amidst the broader market recovery.
The recent 3,996 ETH exploit on the Ronin Network was flagged by blockchain explorer Etherscan as an MEV bot. MEV refers to “maximal extractable value,” where profit is derived from reordering transactions awaiting blockchain inclusion.
In a related incident, scroll-based money market Rho Markets lost 2,203 ETH (over $7.5 million) due to a “price oracle misconfiguration.” Fortunately, the responsible group returned the funds after acknowledging their mistake.
Bridges as Targets
The Ronin Bridge joins a list of high-profile bridge hacks. In March 2022, hackers secured five out of nine validators, making off with a staggering $624 million. Additionally, three of the largest crypto hacks in history involve bridges:
- In October 2022, the BNB Bridge was exploited for $586 million, although the hacker escaped with $127 million before the bridge was paused.
- In February of the same year, the Wormhole Bridge lost $326 million due to a smart contract vulnerability.
Given that bridges hold substantial crypto funds, they remain prime targets for hackers.