On March 30, Ronin Network, the underlying blockchain network supporting the well-known chain game Axie Infinity, reported an attack incident. Hackers used network vulnerabilities to steal 173,600 ETH and 25.5 million USDC, with a total value of $615 million. Other on-chain assets such as AXS, RON and SLP are not affected.
After the notification was issued, the outside world learned that the hackers had started as early as March 23, and the theft was not discovered until March 29 after a user reported that they could not withdraw money from the cross-chain bridge Ronin Bridge.
According to the announcement of Ronin Network (hereinafter referred to as Ronin), hackers exploited network vulnerabilities to obtain the signature authority of 5 verification nodes, thereby maliciously signing withdrawals. Of the 5 validators, 4 are in the hands of Sky Mavis, the developer of Axie Infinity, as well as Axie DAO, the game's decentralized autonomous organization.
According to the tracking of the security agency, the hacker's profit-making address has converted 25.5 million USDC into ETH, and 6,250 ETH has been distributed and transferred, of which 4,971 ETH has been transferred to several centralized trading platforms.
In order to prevent further attacks, Ronin suspended its cross-chain bridge Ronin Bridge and the decentralized exchange application Katana Dex on the chain, and began to cooperate with law enforcement, security agencies and capital to ensure funds can be recovered.
Due to the attack on the Ronin Bridge, the asset security issue of the cross-chain bridge has once again attracted attention, and the industry has also issued an early warning. Once attacked, this encrypted asset transfer tool connected to various blockchain networks is likely to be attacked on a large scale. Threats to the security of DApps on the chain. Some security agencies have begun to remind cross-chain bridge developers to review the code security of the bridge and upgrade private key management.
Hackers discovered after 6 days
If it wasn't for the failure of a user to withdraw 5,000 ETH from the Ronin Bridge, Ronin might not have realized that it had been attacked. On March 29, a user report finally led Ronin developers to discover that the Ronin validator nodes of Sky Mavis and Axie DAO had been "broken" six days earlier, causing 173,600 ETH and 25.5 million USDC to be transferred from the Ronin Bridge. .
With $615 million worth of crypto assets stolen, the Ronin chain became the biggest victim of a hack in crypto history. On February 1, 2021, Axie Infinity, the on-chain game that detonated the “Play To Earn” mode, announced the official launch of the Ethereum sidechain Ronin Network, which specifically supports the efficient operation of Axie Infinity. No one would have thought that a year later, this "game chain" would be attacked on such a large scale.
After the incident, the blockchain security agency SlowMist Technology tracked the whereabouts of the stolen funds and disclosed that the hacker’s profit-making address had exchanged 25.5 million USDC for ETH, and then distributed 6,250 ETH, of which 1,221 ETH was transferred to centralized exchanges On the platforms FTX and Crypto.com, another 3750 ETH was transferred to Huobi, and the remaining balance of funds remained in the hacker’s address. The ETH used by the hackers to launch the attack was withdrawn from Binance.
Another blockchain security agency, PeckShield, also sorted out a roadmap for Ronin’s asset theft and transfer.
PeckShield sorts out asset theft and transfer paths
When encrypted assets are stolen, the "private key" used to sign on-chain transactions is often the key to being attacked, and Ronin, the victim this time, is no exception.
According to the official notification, the Ronin chain currently consists of 9 verification nodes, and 5 out of 9 validator signatures are required to deposit and withdraw encrypted assets. While the attackers managed to take control of 4 of Sky Mavis' Ronin validators, the other was a third-party validator run by Axie DAO. Sky Mavis is the developer of Axie Infinity, the game's decentralized autonomous organization.
According to Ronin officials, the validator key scheme is set to be decentralized, which originally limited attack vectors like this, "but an attacker discovered a backdoor through our gas-free RPC (remote procedure call) node. , they abused the backdoor to obtain the signature of the Axie DAO validator.”
Originally, it was not enough for an attacker to obtain the signature of a validating node, but the crisis lurked in November last year.
In November 2021, Sky Mavis had requested Axie DAO to help distribute free transactions due to "high user load", which resulted in Axie DAO allowing Sky Mavis to sign various transactions on its behalf. Although the distribution transaction was stopped as early as December 2021, the permission of the "permitted access list" was not revoked, and the attackers thus gained access to the Sky Mavis system, "they obtained it by using a gas-free RPC node. The signatures of the Axie DAO validators, we have confirmed that the signatures in the malicious withdrawals match 5 suspicious validators.”
Currently, Ronin has increased the validator threshold from 5 to 8 and migrated nodes. The official said that it has begun to establish cooperation with blockchain security agencies, government law enforcement agencies, and discussed with stakeholders of Axie Infinity/Sky Mavis how to best advance the project and ensure that user funds are not damaged. At the same time, FTX, Binance, and Huobi all said they would assist Ronin in obtaining evidence or finding clues.
How to avoid risks in cross-chain bridge projects?
Since the ETH and USDC deposits on the Ronin chain have been drained from the contracts of the cross-chain bridge Ronin Bridge, both the cross-chain bridge and the decentralized trading application Katana Dex on the chain are suspended, and the BSC chain has also disabled the connection with the Ronin chain. The cross-chain bridge between them.
In this Ronin theft case, the hackers clearly targeted the assets stored in the cross-chain bridge contract. On February 3 this year, Wormhole, the cross-chain bridge of the Solana chain, was also attacked by hackers and lost nearly $300 million. Jump Crypto, one of the owners of the cross-chain bridge, later assumed most of the losses.
Since encrypted assets are generated in different blockchain networks, in order to facilitate users to use decentralized applications (DApps) on different chains, developers have developed cross-chain transfer tools for assets, namely cross-chain bridges. Its operation logic is usually It is to use "encapsulated assets" to replace the original assets in an equal amount. For example, users use Wormhole to transfer ETH from the Ethereum network to the Solana network. These ETHs will be stored in the smart contracts of the cross-chain bridge, and then produced and sold in equal amounts. Packaged as wETH, suitable for users to use on the Solana network; users want assets from the Solana network back to Ethereum, wETH can be exchanged for ETH, and then wETH is destroyed.
That is to say, when assets are transferred across chains, the user's original assets are stored in the cross-chain bridge contract. Once there is a problem with the cross-chain bridge, the security of the user's assets will be threatened; in addition, even if the vulnerability is not in the cross-chain bridge, it is only in the cross-chain bridge. On the network, the existence of cross-chain bridges will also cause the "dirty money" obtained by hackers to be transferred through the cross-chain bridges.
The security issues of the cross-chain bridge have long been noticed by the industry, including the victim of Sky Mavis. Yat Siu, co-founder of Animoca Brands, the company’s investor, said in an interview, “If a bridge can mint tokens, it’s like a minting machine…Bridges are authority, but if they are poorly designed or have loopholes, , it poses a huge risk to the ecosystem.”
The risk really happens that way. After the theft of Ronin, the blockchain security audit agency Beosin reminded the cross-chain bridge project to strengthen security through its official blog and made suggestions.
Beosin pointed out that the cross-chain bridge project should pay attention to the security of the signature verification nodes to ensure the safe storage of sensitive information; if the signature of the cross-chain bridge project is performed offline, the network must update the security policy of the signature, close the relevant service model, and at the same time Consider the risk of the signing account address being leaked.
In addition, Beosin reminded that the verification signature must be multi-signature, and the multi-signature must be logically isolated, and the verification process of the signature content must be carried out independently. In fact, the Ronin chain itself adopts decentralized multi-signature verification, but the vulnerability of the RPC node was still exploited by hackers. To this end, Beosin recommends that if subset verification exists, ensure that subset verifiers cannot request signatures from the verifiers themselves.
The Ronin chain only discovered the hack 6 days later, which also sounded the alarm for the maintainers of the blockchain network. Beosin therefore suggested that all transactions of the project should be monitored in real time, and real-time alarms of "abnormal transactions" should be established to ensure quick response when danger occurs.
(Disclaimer: Readers are requested to strictly abide by local laws and regulations, this article does not represent any investment advice)
Do you think the Ronin theft will affect the development of Axie Infinity?