https://rekt.news/leaderboard/ #1 exploit so far in crypto history
Sky Mavis: The creator of Axie Infinity
Axie Infinity: the most popular gamefi project, pioneered the p2e (play to earn) model
Ronin Wallet: the wallet used by Axie Infinity Game
Ronin Bridge: lets users send crypto back and forth between Ethereum and Axie’s Ronin sidechain. The bridge is nothing more than a smart contract, when executed takes the amount of ETH sent and mints the same amount of WETH on the Ronin network and associates those tokens to your Ronin wallet
Related Tokens (All ERC20 tokens)
RON (coinmarketcap): Token for Ronin network
AXS: game native token
SLP: game governance token
Attack Vector: a multi-signature compromise
Damage: Roughly $625 million, or 173,600 ether and 25.5 million USDC
Was it detected automatically: No
How long did it take from the hack to detect: 7 days
How did it happen: The attacker compromised Sky Mavis’s four Ronin Validators first. The attacker found a backdoor through a gas-free RPC node, from there the hacker got the signature of the Axie DAO validator. That’s 5, meet the signature threshold
How did the hacker get the signature of the validator: The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf to handle immense user load in Nov 2021. The allowlist was never revoked.
How did the hacker compromise the Sky Mavis’s four Ronin Validators: Not clear. There are some theory that the client has a bug, see this tweet.
How could this be prevented?
This is not a smart contract exploit, this is a “classical” security breach
This could easily be prevented if dev revoked the allowlist.
Transactions
Where are the fund now: Etherscan Ronin Bridge Exploiter
Security: 9 validator nodes, 5/9 needed for sends/receives (after this incident it’s increased to 8/9)
Exploiters used hacked private keys to forge fake withdrawals on March 23, 2022
Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised. Hacker compromised Sky Mavis’s four Ronin Validators, and a third-party validator run by Axie DAO.
Team identified the attack 2022-03-29 after a report from a user being unable to withdraw 5k ETH from the bridge.
Team took action, halted the Ronin bridge and Katana Dex, increased 5/9 to 8/9
Ronin’s statement
