The attack on Ronin Networks looks like the most successful heist of the decentralized financial system so far. The attackers took advantage of several weaknesses in the system architecture.
Heist of the century
About $620 million was stolen from the Ronin Networks blockchain system, the operating company of the popular game Axie Infinity – Sky Mavis. Most of the stolen funds are in the form of the Ethereum cryptocurrency. Experts are already saying that this is the largest ever theft from a decentralized cryptocurrency system.
The hackers managed to steal 173,600 Ethereum (ETH) cryptocurrencies, which is about $600 million at the current exchange rate, and another 25.5 million USDC cryptocurrencies, whose rate is pegged to the dollar.
The attack occurred on March 23, 2022 and was aimed directly at the “bridge” of the Ronin blockchain system, an intermediate link between Axie Infinity and other cryptocurrency blockchains such as Ethereum. The game involves the purchase of NFTs or game currencies and items for cryptocurrencies with the subsequent ability to exchange them back for crypto-currency assets.
More than $600 million in cryptocurrencies, mainly in Ethereum, was stolen from the Ronin blockchain system
According to Sky Mavis, the attacker used compromised private security keys to hack into the nodes of the network through which the validation of incoming and outgoing transactions to the Ronin blockchain is carried out.
The theft was revealed only a week later, when another user tried to use the same “bridge” to withdraw 5 thousand units of Ethereum.
Sky Mavis said the NFT tokens that users must purchase to gain access to Axie were not compromised. In-game cryptocurrencies also remained untouched. However, due to the incident, new players do not get on the platform. The fate of other players’ funds is also in question, with Sky Mavis employees, security experts and law enforcement trying to get back what was stolen.
One of the reasons that made the theft possible is the Ronin structure itself: unlike the Bitcoin and Ethereum blockchains, it uses validation nodes that determine the input and output of each transaction and the authenticity of authorization signatures. Any transactions that do not pass this validation are blocked. This approach is less energy intensive than the one used in the Bitcoin and Ethereum blockchains.
Moreover, Sky Mavis used a rather limited number of validation nodes, explaining this as a desire to reduce the sharply jumped load on their network. In 2021, Axie Infinity has become wildly popular in the Philippines and other countries where players have made it a source of income.
The Ronin post says that in November 2021, Sky Mavis requested help with the distribution of free transactions due to the huge influx of users from Axie DAO, a decentralized autonomous organization run by users and which has its own separate validation node.
“Axie DAO has given Sky Mavis the authority to authenticate various transactions on its behalf. This scheme worked until December 2021, however, the corresponding permit was not revoked, ”the company said in a report.
The attackers were eventually able to obtain the digital signature of the Axie DAO validation node and use it to compromise five of the nine Ronin validation nodes. This was enough for the attackers to freely withdraw any amount of funds.
In response, Ronin has increased the minimum number of nodes that must be validated for a transaction to take place from five to eight. The “bridge” with other blockchains has been disabled for the time being, changes are being hastily made to the architecture of the blockchain, which should increase its reliability.
Together with Chainalysis, Sky Mavis representatives are tracking the stolen funds to try to roll back transactions in the future.
“The strength of the entire system is determined by the strength of its weakest link, although this is a hackneyed, but still true,” says Anastasia Melnikova, director of information security at SEQ. — Ronin tried to “cut corners” and, as it turned out, this was done by reducing the level of security of the blockchain from attacks. The result is the largest theft of funds from the decentralized financial system to date. And it’s not yet a fact that the losses will be rolled back and compensated.”