“Community Alert: Ronin Validators Compromised”, 2022-03-29 ():
The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC [1 ETH = $3,000, so total loss ~$551m]
The Ronin bridge and Katana Dex have been halted.
We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.
There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in 2 transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5,000 ETH from the bridge.
Details About The Attack: Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, 5 out of the 9 validator signatures are needed. The attacker managed to get control over Sky Mavis’s 4 Ronin validators and a third-party validator run by Axie DAO.
The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO whitelisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the whitelist access was not revoked.
Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
…Q. Why was the validator threshold only 5?
Originally, Sky Mavis chose the 39⁄1 threshold as some nodes didn’t catch up with the chain, or were stuck in syncing state. Moving forward, the threshold will be 39⁄1. We will be expanding the validator set over time, on an expedited timeline.
Q. Why are we being notified about the breach now? [6 days after the hacker withdrawals]
The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge.
[They do not explain the absence of logging or monitoring which could detect their bankruptcy before withdrawals began failing.]