Half-billion dollar DeFi hack goes unnoticed for almost a week

Hackers stole over a half-billion dollars' worth of cryptocurrency, and no one noticed.

That's the wild takeaway Tuesday morning after the team behind Ronin, an Ethereum sidechain developed for the popular blockchain-integrated game Axie Infinity, said they discovered only today that 173,600 ether and 25.5 million of the USDC stablecoin were stolen from their network starting March 23. Worth approximately $615 million, this theft represents one of the largest DeFi losses to date — even surpassing the August 2021 Poly Network hack of approximately $600 million in crypto.

To make matters even worse, the official Ronin Network blog post says developers were only alerted to the missing funds by a user who was unable to withdraw their own ether.

"ETH and USDC deposits on Ronin have been drained from the bridge contract," explains Tuesday's blog post. "As of right now users are unable to withdraw or deposit funds to Ronin Network."

Axie Infinity is a pay-to-earn game popular in the Philippines, where people spend real money to get access to the game with the hope of earning tokens that can be cashed out for actual money.

Notably, unlike previous DeFi disasters, at issue with the Ronin hack does not appear to be some kind of smart contract exploit — meaning there wasn't necessarily a bug in the code. Rather, whoever stole these funds took a more traditional approach and swiped the cryptographic keys from Axie Infinity developer Sky Mavis and "a third-party validator run by Axie DAO."

"The attacker used hacked private keys in order to forge fake withdrawals," notes Ronin.

This Tweet is currently unavailable. It might be loading or has been removed.

Ronin says it's working with law enforcement and the blockchain-analytics firm Chainalysis to track the funds.

As with other public blockchains, like Bitcoin, as of the time of this writing it's possible to see where the stolen funds are. Ronin points out that while some are on the move, most of the boosted ether and USDC is sitting in two wallets controlled by the hacker or hackers. Some funds have already been moved again. Those wallets document the initial transfers in question on March 23.

Perhaps in the exploit-prone world of DeFi, a half-billion dollar hack just wasn't enough to trigger any internal alarm bells. Either that, or the so-called future of finance is seriously lacking in alarm bells to set off.