2022 was a record-setting year for crypto hacks. Estimates range between three to four BILLION dollars in stolen funds. In the Crypto Casefiles series, we’ll cover some of the biggest and most memorable hacks from years past. Our first installment will cover the eye-watering $624 million attack suffered by Ronin Bridge in March 2022 that nobody noticed for six days.
Target | Date | Amount Stolen | Type of Attack |
Ronin Bridge | 23/03/2022 | $624 million | Infrastructure Attack |
The Set Up
The story begins with Sky Mavis, the team behind the popular NFT game Axie Infinity. This development team created Ronin – an Ethereum-linked sidechain designed for Axie Infinity. The Ronin Bridge facilitated transfers between Ethereum assets and the Ronin Network. Ronin was designed to provide fast, cheap transaction throughput necessary for a rising play-to-earn game such as Axie Infinity.
With a network focused on maximizing transactions per second, the development team chose a Proof of Authority model in which just nine validators validated all transactions and blocks. The Ronin Network uses a set of nine validator nodes to approve transactions on the bridge, and a deposit or withdrawal requires approval by a majority of five of these nodes.
Sky Mavis operates four of the nine validators. So, in a security breach, an attacker would need just one more validator to effectively control the network.
The Exploit
On March 23rd, 2022, the attacker gained control of the four validators controlled by Sky Mavis and a third-party Axie DAO validator that signed their malicious transactions. The attacker gained access to the additional validator due to a temporary arrangement between Axie DAO and Sky Mavis in November 2021.
Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf as part of an effort to help Sky Mavis cope with an overwhelming network traffic load. This required Axie DAO to approve Sky Mavis’s validators to sign transactions on their behalf. Sky Mavis includes a gas-free RPC node that was used to get this fifth signature.
While the program expired the following month, the allowlist was never revoked. The attacker could use the additional Axie DAO signature alongside the four Sky Mavis validators to approve transactions. Once the attacker got access to Sky Mavis systems, they obtained the signature from the Axie DAO validator by using the gas-free RPC.
The hacker then authorized two withdrawals, with the first draining 173,000 ETH and then 25.5 million USDC from the Ronin Bridge contract.
The Sky Mavis team became aware of the hack six days later, on March 29th, when a user reported being unable to withdraw 5,000 ETH via the Ronin Bridge.
The Getaway
According to blockchain data, the perpetrator swapped the USDC for ETH via other addresses before returning the funds to their original wallet. The attacker transferred a comparatively small portion of ETH (6250 ETH) to FTX and Crypto.com to test if they could cash out to fiat.
The rest of the funds remained in the attacker’s address until they were progressively sent elsewhere over the next month.
In a strange turn of events, the U.S Department of Treasury and Federal Bureau of Investigations attributed North Korean based ‘Lazarus Group’ to the Ronin Bridge attack. According to Bloomberg, the agency noted that these crimes provide valuable cash for the North Korean leadership.
In 2014, the Lazarus Group made headlines when it was accused of hacking Sony Pictures Entertainment. The invasion was retaliation to the release of “The Interview,” a satirical film mocking North Korean leader Kim Jong Un. Since then, the FBI reports that the group has continued to carry out attacks to fund the regime.
What can we learn from this?
Sky Mavis learned an expensive lesson regarding centralization. It also failed to revoke delegated permissions, allowing for their abuse at any time. Finally, the team did not have appropriate monitoring systems that could detect the theft from their systems, allowing almost a week’s headstart for the attacker.
Since the hack, Sky Mavis has paid back $450 million out of its pocket to users who lost their money. The new Ronin Bridge has new security measures and has been thoroughly audited three times, with the platform reopening in June 2022.