Ronin announces details of the theft incident: it actually occurred on March 23, five validator private keys were stolen
The actual loss amount reached $620 million, making it the largest theft incident in DeFi history.Source: Ronin Blog
Compiled by: Hu Tao, Chain Catcher
Key Points
173,600 ETH and 25.5 million USDC were stolen from the Ronin Bridge.
The Ronin Bridge and Katana Dex have been suspended.
We are working with law enforcement, cryptographers, and investors to ensure all funds are recovered or reimbursed. All AXS, RON, and SLP on Ronin are currently safe.
Earlier today, we discovered that on March 23, the Ronin validator nodes of Sky Mavis and the Axie DAO validator nodes were compromised, resulting in the bridging of 173,600 Ethereum and 25.5 million USDC from the Ronin Bridge in two transactions (1 and 2). The attacker used a stolen private key to forge fake withdrawals. We discovered this attack after users reported being unable to withdraw 5,000 ETH from the cross-chain bridge this morning.
Details of the Attack
Sky Mavis's Ronin chain currently consists of 9 validator nodes. To identify deposit or withdrawal events, five out of the nine validator signatures are required. The attacker managed to control four Ronin validators from Sky Mavis and one third-party validator operated by Axie DAO.
The validator key scheme was set up to be decentralized, which limits the direction of attacks like this, but the attacker discovered a backdoor through our gasless RPC node and exploited it to obtain signatures from the Axie DAO validator.
This dates back to November 2021 when Sky Mavis requested Axie DAO's help in distributing free transactions due to high user load. Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This was stopped in December 2021, but access to the whitelist was not revoked.
Once the attacker gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validator using the gasless RPC.
We have confirmed that the signatures in the malicious withdrawals match those of five suspicious validators.
Actions Taken
As soon as the incident was exposed, we took swift action and actively implemented measures to prevent future attacks. To prevent further short-term damage, we increased the validator threshold from 5 to 8.
We are in contact with the security teams of major exchanges and will reach out to everyone in the coming days.
We are migrating our nodes, completely separating them from our old infrastructure.
We have temporarily suspended the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge with Ronin as a precaution. The bridge will reopen once we confirm that no funds are at risk.
We have temporarily disabled Katana DEX due to the inability to arbitrage and deposit more funds into the Ronin Network.
We are working with Chainalysis to monitor the stolen funds.
Next Steps
We are working directly with various government agencies to ensure that the criminals are brought to justice.
We are discussing with stakeholders of Axie Infinity / Sky Mavis how best to proceed and ensure that no user funds are lost.
Sky Mavis is here for the long term and will continue to build.
Community Q&A
Why is the validator threshold only 5?
Initially, Sky Mavis chose 5 out of 9 as the threshold because some nodes were not catching up to the chain or were stuck in a syncing state. Looking ahead, the threshold will be eight out of nine. Over time, we will expand the validator set on an accelerated timeline.
Where is the money now?
Most of the stolen funds remain in the hacker's wallet: https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96
How did this happen?
We are conducting a thorough investigation.
Five validator private keys were stolen: 4 from Sky Mavis and 1 from Axie DAO.
The validator key scheme is set to be decentralized to limit such attack vectors, but the attacker discovered a backdoor through our gasless RPC node and exploited it to obtain signatures from the Axie DAO validator.
This dates back to November 2021 when Axie DAO validators were whitelisted for distributing free transactions. This was stopped in December 2021, but the Axie DAO validator IP remained on the whitelist.
Once the attacker gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validator using the gasless RPC.
We have confirmed that the signatures in the malicious withdrawals match those of five suspected validators.
Is it safe for me to use Ronin?
As we have seen, Ronin is not immune to attacks, and this incident reinforces the importance of prioritizing security, staying vigilant, and mitigating all threats. We understand the need to earn trust and are utilizing all resources at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.
Why are we receiving notifications about the breach now?
The Sky Mavis team discovered the security breach on March 29, following reports that users were unable to withdraw 5,000 ETH from the cross-chain bridge.
Is the money on Ronin at risk?
ETH and USDC deposits on Ronin have been entirely stolen from the bridging contract. We are working with law enforcement, cryptographers, and our investors to ensure that user funds are not lost. This is our top priority right now.
All AXS, RON, and SLP on Ronin are currently safe.
What does this mean for users with funds on the Ronin Network?
As of now, users are unable to withdraw or deposit funds into the Ronin Network. Sky Mavis is committed to ensuring the recovery or reimbursement of all depleted funds.
