2022-03-29 Ronin Exploit $625M

Date: 2022-03-29

https://rekt.news/leaderboard/ #1 exploit so far in crypto history

Intro

  • Sky Mavis: The creator of Axie Infinity

  • Axie Infinity: the most popular gamefi project, pioneered the p2e (play to earn) model

  • Ronin Wallet: the wallet used by Axie Infinity Game

  • Ronin Bridge: lets users send crypto back and forth between Ethereum and Axie’s Ronin sidechain. The bridge is nothing more than a smart contract, when executed takes the amount of ETH sent and mints the same amount of WETH on the Ronin network and associates those tokens to your Ronin wallet

  • Related Tokens (All ERC20 tokens)

    • RON (coinmarketcap): Token for Ronin network

    • AXS: game native token

    • SLP: game governance token

Stats

  • Attack Vector: a multi-signature compromise

  • Damage: Roughly $625 million, or 173,600 ether and 25.5 million USDC

  • Was it detected automatically: No

  • How long did it take from the hack to detect: 7 days

  • How did it happen: The attacker compromised Sky Mavis’s four Ronin Validators first. The attacker found a backdoor through a gas-free RPC node, from there the hacker got the signature of the Axie DAO validator. That’s 5, meet the signature threshold

  • How did the hacker get the signature of the validator: The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf to handle immense user load in Nov 2021. The allowlist was never revoked.

  • How did the hacker compromise the Sky Mavis’s four Ronin Validators: Not clear. There are some theory that the client has a bug, see this tweet.

  • How could this be prevented?

    • This is not a smart contract exploit, this is a “classical” security breach

    • This could easily be prevented if dev revoked the allowlist.

  • Transactions

  • Where are the fund now: Etherscan Ronin Bridge Exploiter

Mechanism of Ronin Sidechain

  • Security: 9 validator nodes, 5/9 needed for sends/receives (after this incident it’s increased to 8/9)

What happened?

  • Exploiters used hacked private keys to forge fake withdrawals on March 23, 2022

  • Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised. Hacker compromised Sky Mavis’s four Ronin Validators, and a third-party validator run by Axie DAO.

  • Team identified the attack 2022-03-29 after a report from a user being unable to withdraw 5k ETH from the bridge.

  • Team took action, halted the Ronin bridge and Katana Dex, increased 5/9 to 8/9

Resources: