# 2022-03-29 Ronin Exploit $625M

By [Joan Yin](https://paragraph.com/@joan-yin) · 2022-03-30

---

Date: 2022-03-29
----------------

[**https://rekt.news/leaderboard/**](https://rekt.news/leaderboard/) **#1 exploit so far in crypto history**

Intro
-----

*   **Sky Mavis**: The creator of Axie Infinity
    
*   **Axie Infinity**: the most popular gamefi project, pioneered the p2e (play to earn) model
    
*   **Ronin Wallet**: the wallet used by Axie Infinity Game
    
*   **Ronin Bridge**: lets users send crypto back and forth between Ethereum and Axie’s Ronin sidechain. The bridge is nothing more than a smart contract, when executed takes the amount of ETH sent and mints the same amount of WETH on the Ronin network and associates those tokens to your Ronin wallet
    
*   **Related Tokens** (All ERC20 tokens)
    
    *   RON ([coinmarketcap](https://coinmarketcap.com/currencies/ronin/)): Token for Ronin network
        
    *   AXS: game native token
        
    *   SLP: game governance token
        

Stats
-----

*   **Attack Vector**: a multi-signature compromise
    
*   **Damage**: Roughly $625 million, or 173,600 ether and 25.5 million USDC
    
*   **Was it detected automatically**: No
    
*   **How long did it take from the hack to detect**: 7 days
    
*   **How did it happen**: The attacker compromised Sky Mavis’s four Ronin Validators first. The attacker found a backdoor through a gas-free RPC node, from there the hacker got the signature of the Axie DAO validator. That’s 5, meet the signature threshold
    
*   **How did the hacker get the signature of the validator**: The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf to handle immense user load in Nov 2021. The allowlist was never revoked.
    
*   **How did the hacker compromise the Sky Mavis’s four Ronin Validators**: Not clear. There are some theory that the client has a bug, see this [tweet](https://twitter.com/kelvinfichter/status/1508842458922237960).
    
*   **How could this be prevented**?
    
    *   This is not a smart contract exploit, this is a “classical” security breach
        
    *   This could easily be prevented if dev revoked the allowlist.
        
*   Transactions
    
    *   [https://etherscan.io/tx/0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7](https://etherscan.io/tx/0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7)
        
    *   [https://etherscan.io/tx/0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08](https://etherscan.io/tx/0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08)
        
*   Where are the fund now: [Etherscan](https://etherscan.io/txs?a=0x098b716b8aaf21512996dc57eb0615e2383e2f96&p=4) Ronin Bridge Exploiter
    

Mechanism of Ronin Sidechain
----------------------------

*   **Security**: 9 validator nodes, 5/9 needed for sends/receives (after this incident it’s increased to 8/9)
    

What happened?
--------------

*   Exploiters used hacked private keys to forge fake withdrawals on March 23, 2022
    
*   Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised. Hacker compromised Sky Mavis’s four Ronin Validators, and a third-party validator run by Axie DAO.
    
*   Team identified the attack 2022-03-29 after a report from a user being unable to withdraw 5k ETH from the bridge.
    
*   Team took action, halted the Ronin bridge and Katana Dex, increased 5/9 to 8/9
    

Resources:
----------

*   Ronin’s [statement](https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w)

---

*Originally published on [Joan Yin](https://paragraph.com/@joan-yin/2022-03-29-ronin-exploit-625m)*
