The Ronin Hack – What Went Wrong

The Ronin Hack – What Went Wrong
Photo by Michael DeMarco / Unsplash

On the 23rd of March 2022, the Ronin network suffered one of the biggest hacks in crypto history, with an attacker stealing $540M in cryptocurrency from the network. The Ronin bridge powers the cypto game, Axie Infinity, where players can earn in-game currency which can later be exchanged for real money in the form of cryptocurrency tokens.

While the hack occurred on the 23rd, it was only discovered 6 days later, when someone tried to withdraw their funds from the Ronin network but was unable to do so. The attacker was successful in stealing the funds because a few months ago, in November 2021, the Axie Infinity platform saw a huge influx of players, and as a result of which, the security measures were loosened on the platform.

What is Axie Infinity?

Axie Infinity, created by Vietnamese studio Sky Mavis, is a blockchain-based game which uses the Ronin network. The main goal of the game is to make animated monsters fight each other. In order to be able to play, players must first purchase NFTs (non-fungible tokens) of these monsters, which can cost up to thousands of dollars. By playing the game, players can earn in-game currency, which can then be exchanged for real cryptocurrency.

Deep Dive – How It Happened

In order to understand exactly how the money was stolen, let us first take a look at how the Ronin network operates.

The Ronin network is essentially a sidechain to the Ethereum mainnet. A sidechain is a different blockchain network running in parallel to the main blockchain and connected to it via what’s known as a bridge. These sidechains have their own separate network, and their own consensus algorithm, which can be different from the main chain. Sidechains also have their own validators.

The Ronin network has nine validator nodes, out of which at least five nodes need to verify a transaction before it goes through, whether it is a withdrawal or a deposit.

According to reports, the attacker managed to get access to four of Sky Mavis’ validator nodes as well as an external validator node, run by the Axie DAO. Apparently, the attacker got access to the nodes by means of 4 stolen private keys. According to a tweet by the COO of Sky Mavis, the attacker(s) got the keys through a social engineering attack.

For accessing the Axie DAO validator, the attacker “found a backdoor in Sky Mavis’ gas-free RPC node”, according to their blog post on the Ronin network.

One of the factors that made this possible dates back to November 2021. When the platform saw an increased load due to a large number of new sign-ups, certain security features were removed to onboard new players faster. Sky Mavis asked the Axie DAO to allow them to sign transactions on behalf of the DAO to facilitate faster transactions. While this was discontinued in December 2021, the allowlist access was never revoked.

Addressing the situation

Sky Mavis has recently announced that they are raising $150M in funding, with the help of exchange group Binance, in order to pay back the users of the Axie Infinity platform who lost their money due to the hack. They plan to take these funds, add money from their own balance sheet and reimburse all affected users of the Ronin hack.

It is very difficult to retrieve funds stolen during a crypto hack, and as of now, most of the stolen ETH is just sitting in the attacker’s wallet.

Lessons to be learned

Private key security

Since the main attack vector here was the stolen private keys, this is a reminder to everyone using cryptocurrency exchanges and wallets to ensure the secrecy of their private keys. Just as account passwords need to be protected, so do private keys.

Better validation

The Ronin network was using a 5/9 validation scheme, which has proven to be inadequate. Sky Mavis has upgraded it to 8/9 validation for now and is planning to add even more validator nodes, but only time will tell whether these measures are sufficient.

Worried about attackers targeting your smart contracts? Contact us today to get your smart contracts audited for any security issues!


Yuvarajan

is working as a security engineer in Detasecure. He can able to perform memory forensics and can able to analyze malware. He has done B.E from Anna University. He is an active participant in capture the flag (CTF) competitions. You can reach out to him by Clicking Here.