Ronin Bridge hack: $624+ million lost in largest DeFi hack

Ronin Bridge was hit by a hack on March 23rd as announced by its team this Tuesday. The hack resulted in the loss of $624 million in ETH and USDC.

The biggest DeFi hack to date

Ronin Bridge is a side chain of the Ethereum network launched in February 2021. It has been developed to support Axie Infinity, the popular play-to-earn blockchain-based game. The Ronin team announced on Tuesday in a blog post that they discovered the security breach that took place on March 23rd.

The Ronin hack resulted in the loss of $624 million in ETH and USDC. Therefore, it is the largest decentralized finance (DeFi) hack to date, topping Poly Network’s $610 million hack.

How did the attacker pull out the hack?

The hacker has been able to steal the funds after compromising Sky Mavi’s Ronin and Axie DAO validator nodes. 173,600 ETH and 25.5 million USDC have been drained from the Ronin Bridge in 2 transactions.

More specifically, the hacker took advantage of the validation system of Ronin’s chain. Indeed, Ronin’s chain required 5 out of 9 validators’ signatures to recognize a deposit or withdrawal. However, the hacker managed to exploit a loophole to get a signature from an Axie DAO validator and managed to take control of 4 validators from Ronin. Then, the hacker used these 5 validators’ signatures to confirm the malicious withdrawals.

After the discovery of the hack, the Ronin team took several steps. It announced increasing the validator threshold to prevent future similar attacks. They also paused Ronin Bridge and Katana DEX.

Ronin hack: analyzing the hacker’s address

Today, 175,913 units of ETH are still sitting at the hacker’s address. The Scorechain team flagged the hacker’s address (0x098b716b8aaf21512996dc57eb0615e2383e2f96) has as “Hack” in the database and assigned it a low score as shown below. A low score means that there are higher risks in terms of money laundering (ML) and terrorism financing (TF). The Scorechain team will thus be monitoring any activity related to these funds closely.

Tips: Scorechain is identifying addresses on blockchains and gives insights to users about the person or entity controlling the address and the associated level of risk.

Following the flows of the hacked funds

Funds from the Ronin hack sent to intermediate wallets

However, the majority of the funds are already on the move. Some stolen funds have reached other addresses. For instance:

• 0x5b5082214d62585d686850ab8d9e3f6b6a5c58ff holds 1 233,98 ETH;
• 0xa9bfdc186c6bcf058fbb5bf62046d7bc74e96ce2 holds 15ETH; and
• 0xf49fa9956cd53c4581a974a7fd535a15c47b954a holds 30 ETH.

Scorechain will also keep monitoring these addresses and any activity linked to the stolen funds.

Update April 1st:

On March 31st, we received an automatic alert notification that the funds held by the address 0x5b508 were moving. Indeed, the hacker sent the funds from this wallet (1 233,98 ETH) to the exchange platform Huboi.com in one transaction.

Update April 4th:

On April 4th, we received alert notifications that funds related to the hack were once again on the move. The hacker is sending funds to a mixing service Tornado.cash. By using a mixing service, the hacker is obfuscating the trail of the funds, making them harder to trace.

Update April 11:

The hacker keeps on sending the remaining funds to Tornado.cash. For instance, from April 4th, the hacker used several intermediate addresses to send 16,100 ETH in 161 transactions to the mixing service.

Tips: To follow these funds, Scorechain users can set up alerts for addresses to receive automatic notifications when the funds start to move. This allows them to monitor funds in real-time.

Hack-related funds reaching centralized exchanged

Besides, some of the funds also reached cryptocurrency platforms. Indeed, the hacker sent $17 million worth of ETH funds to 3 well-known centralized exchanges (CEXs) as part of the laundering process. These transactions break down as follows:

• 1,219.962 ETH ($4.3 million) have been sent to the first exchange in 23 transactions;
• 3,749.926 ETH ($12.7 million) to another exchange in 3 transactions; and
• 0.999 ETH ($3,400) to the last exchange.

Tips: Users can use Scorechain’s Exploration tool to easily know if the investigated address has any relationships between another specific entity or entity type such as “exchange”, “DEX”, etc.

Ronin’s hacker using DEX swaps

Finally, the hacker also performed swaps on decentralized exchanges (DEXs). Indeed, unlike CEXs, DEXs do not require users to submit know-your-customer (KYC) information before making transactions. In the case of this hack, the attacker used 2 well-known DEXs to perform the swaps. First, the attacker sent the stolen USDC to 2 intermediate addresses. Then, the attacker performed the swaps with these intermediate addresses.

Tips: Scorechain Ethereum Analytics can spot DEX trades and keeps track of the funds even after swaps.

Reducing your exposure to hack-related funds

Funds related to hacks represent high risks in terms of ML and TF. It is thus important that companies operating with cryptocurrencies adopt a risk-based approach for these kinds of funds to satisfy various anti-money laundering requirements implemented by worldwide governments.

However, implementing these requirements can be a hassle for such companies as the compliance process takes time and resources. Blockchain analytics can assist compliance teams in the implementation of the requirements by providing transaction monitoring and risk assessment solutions. Besides, it also helps compliance teams save time and avoid penalties for non-compliance.

Would you like to discover how Scorechain Blockchain Analytics tools can support you in your compliance journey?

About Scorechain

Scorechain is a Risk-AML software provider for cryptocurrencies and digital assets. As a leader in crypto compliance, the Luxembourgish company has helped more than 200 customers in 45 countries since 2015, ranging from cryptocurrency businesses to financial institutions with crypto trading, custody branch, digital assets, customers onboarding, audit and law firms, and some LEAs.

Scorechain solution supports Bitcoin analytics with Lightning Network detection, Ethereum analytics with all ERC20 tokens and stablecoins, Litecoin, Bitcoin Cash, Dash, XRP Ledger, Tezos, Tron with TRC10 and TRC20 tokens, and BSC with BEP20 tokens. The software can de-anonymize the Blockchain data and connect with sanction lists to provide risk scoring on digital assets, transactions, addresses, and entities. The risk assessment methodology applied by Scorechain has been verified and can be fully customizable to fit all jurisdictions. 300+ risk-AML scenarios are provided to its customers with a wide range of risk indicators so businesses under the scope of the crypto regulation can report suspicious activity to authorities with enhanced due diligence.