Major hacks and security breaches are becoming frequent in the DeFi industry. For example, in what was dubbed the greatest crypto hack in history, a hacker stole over $600 million in cryptocurrency from Poly Network. This was followed by a slew of subsequent thefts, notably the Wormhole Bridge hack, which occurred in February 2022 and resulted in the theft of $325 million in ETH.
Again, the first quarter of 2022 is coming to a close with a big hacker attack on March 23. Ronin- an Ethereum-linked sidechain made specifically for Axie Infinity, publicly revealed a security issue on March 29, 2022, after a user reported being unable to withdraw $5,000 in ETH from the bridge. It took 6 days for the Ronin Team to discover that the bridge had been hacked and more than half a billion was missing. And it resulted in “The new biggest cryptocurrency hack ever.”
What is the Ronin Network?
With the launch of CryptoKitties in 2017, the popularity of NFT and P2E games skyrocketed. Soon after, the chart-topping Axie Infinity, an NFT-based game developed by Sky Mavis, was introduced in 2018 and quickly became the most well-known Play-to-earn (P2E) game in the Blockchain sector. More individuals began to play the game as its popularity grew, but Ethereum’s Layer-1 was not designed for gaming. As a result, the disadvantages of Ethereum hampered Axie Infinity’s ability to attract new players and retain existing ones. In addition, increases in gas prices and network congestion would bring the game’s economy to a standstill, wiping out any traction the game had gained.
The team behind Axie Infinity recognized the need for a dependable, quick, and low-cost network capable of meeting the demands of the game and chose to take matters into their own hands to address that requirement. Hence in February 2021, they created a “sidechain” – a blockchain with a specific purpose (playing the game) – into which users would deposit “real” money – Ethereum or USDC – and then receive “wrapped” versions of the same to make purchases within the game. This blockchain is known as “Ronin.” This chain is managed by nine validator nodes that control transactions, with five of them needing to agree before approving any withdrawal or deposit. Sky Mavis has four, and there are five additional third-party validators.
What caused the hack?
Blockchain bridges are applications that allow users to transfer digital assets from one blockchain to another. Successful attacks on “blockchain bridges” have become more regular in recent years, but the Ronin Bridge attack featured a unique flaw.
As discussed above, a consensus of five of these nine validators is required to approve deposits and withdrawals. Sky Mavis operates four of the validators, which means that only one more signature is required to manage the network in the event of a security compromise.
An Axie Infinity DAO exists that holds one of the third-party validator nodes. In November 2021, Sky Mavis asked for permission to temporarily use the non-majority validators on behalf of the Axie DAO to sign transactions with the term that this agreement will be ended in December 2021. But to everyone’s surprise, they forgot to remove the “allow list” part of the contract.
In the case of the Ronin bridge hack, it appears that attackers employed social engineering to gain access to Sky Mavis’ validators, along with the third-party validator, gaining majority control of the Ronin network. However, it is not clear how the Sky Mavis validators were compromised.
The attacker then authorized two withdrawals, draining the first 173,600 ETH and 25.5M USDC from the Ronin Bridge contract. The 25.5M USDC were swapped for ETH via other addresses before returning to the main wallet.
Perhaps in an attempt to complicate the chase, 6250 ETH have been transferred from the wallet, some of which have since been transferred to FTX and Crypto.com. The address was also initially funded from Binance, but KYC’d accounts are easily acquired. The following has been sent to the FTX, Huobi, Crypto.com exchanges since the hack:
- 1220 ETH on FTX,
- 3750 ETH on Huobi.
The rest of the funds remain in the attacker’s address: https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96
While it may appear like they will be actively interested in locating $600 million, it is questionable whether they will find it and, if they do, whether that cash will be repaid to anyone. Because of the negligence of Sky Mavis and the entire team, an attacker got away with $600 million.
In short, the suffering individuals are not the investors, developers, or those in power but ordinary people who choose to entrust them with their money and time. Some people play Axie Infinity for a living who are now helpless – even if you can sell something in the game right now, the underlying worth is essentially nothing. If you are given 150 Ethereum in exchange for your in-game NFT, 150 Ethereum is worthless because the Ronin contract does not have 150 Ethereum to pay you.
- defi general image: Photo by Shubham Dhage on Unsplash