tl;dr Summary: $625 million were drained from Axie Infinity’s Ronin network; the largest crypto heist in history. The attacker used hacked private keys to forge fake withdrawals. It looks like they were obtained through social engineering rather than a technical hack.
Axie Infinity is arguably the most popular blockchain game in the world. It has been a leader and pioneer in the GameFi industry over the last four years. Sky Mavis, the Vietnamese company behind Axie Infinity, achieved a $3 billion valuation in October 2021. Unfortunately, Axie Infinity’s success has also made them the target of the largest cryptocurrency heist of all time.
On March 29, 2022, a user reported having issues withdrawing 5,000 ETH from the Ronin bridge. While investigating this issue, the team found that one week prior on March 23rd, the Ronin bridge had been exploited for 173,600 Ethereum and 25.5M USDC worth a total of $625 million.
How did this happen?
Sky Mavis released Axie Infinity on Ethereum in early 2018 as a fun way to educate the world about blockchain technology. The Pokemon-inspired, pet-training game and virtual world quickly grew in popularity. Today it is considered the most popular blockchain game in the world with an army of loyal fans around the globe. However, with increased demand came increased network congestion. At the time the Ethereum network was only processing around 50,000 transactions per day so transaction costs were fairly low. However, more users on Ethereum meant higher gas fees and slower transactions. Sky Mavis knew that they needed to quickly implement a scaling solution to sustain their increased demand. For this purpose, Sky Mavis developed the Ronin network.
Ronin is an Ethereum-linked side chain created specifically for Axie Infinity users. Side Chains are a network of servers running in parallel to another blockchain allowing them to share assets like cryptocurrencies or NFTs. This allows Ronin to use and transfer Ethereum-based tokens on their network at a lower cost. To move assets from Ethereum to Ronin, Sky Mavis created a Ronin bridge. Bridges like Ronin’s typically work by locking up tokens in smart contracts on one chain, and then re-issuing those tokens in “wrapped” form on a destination chain. However, side chains are responsible for their own security. Ronin’s security layer consists of nine validator nodes, or servers, which vote on the validity of all transactions on the network. In comparison, Ethereum has nearly 300,000 validator nodes. In order for deposit or withdrawal events to be recognized on Ronin, five of nine validator signatures are needed.
Regarding the exploit on March 23rd, the attacker was able to obtain the private keys for five of the validator nodes. A private key is a string of alphanumeric characters, similar to a password, which allows users to send and withdraw funds. The alphanumeric characters in the private key are the output of a mathematical function which inputs a user’s unique wallet ‘seed phrase.’
Because the minimum requirement to validate a withdrawal is for five validators to sign off on a transaction, the attacker was able to approve the transfer of funds from the Ronin bridge to their own wallet address.
There is an ongoing investigation involving several third party crypto security firms and law enforcement agencies. Though there are very few details available on how the private keys were obtained for the five validator nodes, it is clear that the attack was an external security breach. The current evidence suggests that the attack was socially engineered rather than an exploit of a technical flaw. We don’t have details on WHAT suggests that’s the case because it is an ongoing investigation with law enforcement agencies involved.
How is Sky Mavis addressing this security breach?
Since learning about the attack, the Sky Mavis team have taken several precautions. Since the root cause for the attack was the small set of validator nodes required to approve a transaction, Sky Mavis has increased the validator threshold from five out of nine, to eight out of nine. In addition to this, on March 31st all nine of the validator nodes were replaced. The team also pledged to increase the number of validators from nine to twenty-one in the coming quarter. The Ronin bridge will remain closed until all security updates and audits have been completed. In the meantime Chainalysis, a blockchain data analytics firm, is monitoring the wallet with stolen funds for any movements. Sky Mavis is also working with several government agencies to hopefully bring the cybercriminals to justice.
On April 6th, Sky Mavis announced a $150 million funding round led by Binance with participation from several other blockchain companies. These funds, along with Sky Mavis’ balance sheet funds, will be used to reimburse all users who were impacted by the security breach. If the funds are not reimbursed in the next two years, the Axie DAO will vote on next steps for their treasury at that time.
This was a painful and expensive lesson for the Sky Mavis team. A security breach of this magnitude is sure to scare away some potential investors and new users. Some people even claim that this shows that cross-chain technology is too much of a sacrifice of security. However, at this time, the Ronin network is secured and the imminent security updates will ensure an attack like this never happens again. Axie Infinity is still being enjoyed by millions of fans around the world. The Sky Mavis team is determined to continue building out the Axie Infinity universe and bringing value to their loyal community for years to come.