$12 million taken by whitehats from Ronin bridge

The Ronin bridge, which bridges crypto assets to the Ronin Network used by Axie Infinity and other gaming projects, has once again suffered a breach — though a considerably smaller one than the recordbreaking $625 million theft in March 2022. An update to the bridge code introduced a flaw with respect to how transactions were confirmed.

Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.

The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.

SEC files complaint against Binance

The SEC has filed a complaint against Binance, various related companies, and Binance CEO Changpeng "CZ" Zhao. They allege that the company has been acting with "blatant disregard" of US securities laws through their operation of unregistered trading platforms, have performed multiple offers of unregistered securities and investment schemes, and have defrauded investors through material misstatements around supposed controls for manipulative trading activity, such as wash trading, on the Binance platforms.

The complaint echoes some of the allegations made by the CFTC in a March lawsuit, including that Binance.US was primarily a front for Binance's international platform that was used to try to distract US regulators. However, it also goes farther by adding allegations around Binance's lack of controls around market manipulation, which the SEC alleges contradict public statements by Binance that they had sophisticated programs to prevent wash trading and other manipulative actions. The SEC even claims that the CZ-owned and -operated market maker Sigma Chain was engaged in substantial wash trading on the platform.

The SEC lawsuit was also a bit of a bombshell in its naming of some major cryptocurrencies as securities: SOL, ADA, MATIC, FIL, ATOM, SAND, MANA, ALGO, AXS, and COTI. These are the crypto assets associated, respectively, with the Solana, Cardano, Polygon, Filecoin,[d] Cosmos, The Sandbox, Decentraland, Algorand, Axie Infinity, and Coti projects.

Axie Infinity says it was never about the money after describing their game as a job-creator

After playing up how Axie Infinity had "created hundreds of thousands of jobs in the Philippines" and other locations where salaries are low, Axie Infinity has crumbled. Some players had quit their traditional jobs to become full-time Axie players, and for a few months in 2021, some skilled players could make more than the average wage in the Philippines by playing the game.

Even without the $625 million hack in March, Axie's economy was in trouble. A November 2021 report from Naavik, titled "Infinite Opportunity or Infinite Peril?" wrote that the game's "economic policies are fundamentally unsustainable" and that "the value of new Axies and SLP is propped up by new players putting fresh money into the game".

As of May, even top-ranked players were making around $0.68 a day — certainly well below the $41.50 average daily wage in the Philippines that the game was once beating. Now, Axie Infinity downplays the financial promises of its game, with the company's head of product writing, "Axie Infinity first and foremost needs to be a game".

U.S. Treasury sanctions cryptocurrency tumbler Blender, the first sanction of its kind

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced that they had sanctioned the North Korean cryptocurrency tumbler Blender.io. This was the first U.S. government sanction levied against a cryptocurrency tumbling service. Blender was used to launder more than $20.5 million of the $620 million stolen in March from the blockchain used by the play-to-earn game Axie Infinity. The U.S. government has alleged that the North Korean state-sponsored cybercrime group Lazarus was behind the hack.

The U.S. began sanctioning various wallet addresses belonging to the hackers in mid-April, though have faced obstacles given that it is trivial for the hackers to create new wallets. The use of cryptocurrency tumblers (also called "mixers") has also stymied the government's attempts to limit the DPRK's access to the ill-gotten funds. Blender is not the primary tumbler that Lazarus has been using — that would be Tornado Cash, which they have used to tumble more than $213 million from the hack. Tornado has taken perfunctory steps to comply with sanctions, but nothing that would meaningfully impact Lazarus' ability to use the service.

Authorities link Axie Infinity hack to North Korean Lazarus hacking group

According to the FBI, the infamous cybercrime group Lazarus has been implicated in the March Axie Infinity exploit that saw $625 million taken from the game's blockchain bridge. Lazarus are a criminal group with strong ties to North Korea, and are suspected of being behind infamous cyberattacks including the WannaCry ransomware that impacted a wide number of industries including hospitals and manufacturing, as well as legislative and justice systems. The U.S. Treasury department has added the crypto wallet that received the stolen funds to its sanctions list, which may make it substantially harder for the attackers to withdraw the money. The wallet still contains around 150,000 ETH, valued at around $445 million, but has been slowly siphoning it out to various other wallets, exchanges, and tumblers over the past weeks.

Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history

One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.

Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.