Ronin announced the details of the theft: it actually happened on March 23, and the private keys of five validators were stolen

KingData ·2022-03-30

Key Points

  • The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC.
  • The Ronin bridge and Katana Dex have been halted.
  • We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.
    There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge. 

Details About The Attack

Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. 

The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. 

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. 

We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.

Actions Taken

  1. We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight.
  2. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. 
  3. We are in the process of migrating our nodes, which is completely separated from our old infrastructure.
  4. We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained. 
  5. We have temporarily disabled Katana DEX to due to the inability to arbitrage and deposit more funds to Ronin Network. 
  6. We are working with Chainalysis to monitor the stolen funds. 
    Next Steps

We are working directly with various government agencies to ensure the criminals get brought to justice. 

We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users' funds are lost. 

Sky Mavis is here for the long term and will continue to build. 

Q&A for Media and Community

  • Why was the validator threshold only five?
    Originally, Sky Mavis chose the five out of nine threshold as some nodes didn’t catch up with the chain, or were stuck in syncing state. Moving forward, the threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline.
  • Where are the funds now?
    Most of the hacked funds are still in the hacker’s wallet:
  • How did this happen?
    We are in the process of conducting a thorough investigation. 

Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO.

The validator key scheme is set up to be decentralized so that it limits an attack vector such as this, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when the Axie DAO validator was allowlisted to distribute free transactions. This was discontinued in December 2021, but the Axie DAO validator IP was still on the allowlist. 

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. 

We have confirmed that the signature in the malicious withdrawals matches up with the five suspected validators.

  • Is Ronin safe for me to use?
    As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks. 
  • Why are we being notified about the breach now?
    The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge.
  • Are funds on Ronin are at risk?
    ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now.

All of the AXS, RON, and SLP on Ronin are safe right now.

  • What does this mean for users who have funds on Ronin Network?
    As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed.
Welcome to the official KingData Chinese communityWelcome to the official KingData Chinese community:

Get more KingData product information and activities, communicate with the big guys in the group, and capture the wealth password.

© The copyright of this article belongs to KingData, and can't be reproduced and used without KingData's permission.