In a statement released yesterday, Ronin shared a detailed account of the hack and the security measures they were implementing.
The report confirmed that the attackers, who worked for a North Korean state-sponsored cybercrime organization Lazarus, gained access to five out of nine validator private keys. This much had been shared before.
In the postmortem, Ronin added that four validators had been compromised after an employee, who no longer works at Ronin, fell victim to a spear-phishing attack. The fifth private key was acquired via an old Axie DAO allowlist.
The hack, which cost Ronin bridge users 173,600 ETH and 25.5m USDC, was discovered five days after it was executed, because Ronin had no “proper tracking system,” the team admitted.
Security upgrades and bug bounties
The Ronin developers are working on adding new validators, the postmortem confirmed. As of the report’s publication, they added two and were onboarding three more. By August, the network is expected to reach 21 validating nodes.
The team also engaged a number of security firms, including CrowdStrike and Polaris Infosec, to run “internal surveillance and forensics” as well as providing “more robust training courses” for employees. They also offered a $1 million bounty for security bug researchers.
According to the postmortem, the Ronin bridge could be restored by late May. Once it’s back online, large transactions such as those carried out by the attackers will not be possible without human approval.
For now, wETH and USDC withdrawals and deposits are handled by Binance, which also helped restore $5.8 million in stolen funds and led a funding round that raised $150 million as Ronin exploit relief. Together with the Sky Mavis balance sheet, the money should cover all reimbursements, Ronin said earlier this month, but a specific timeline has not yet been offered.