Ronin sidechain developers reveal further details of $625 million hack

Developers of the Ronin sidechain, used in the Axie Infinity blockchain game, disclosed further details of the hack that resulted in the theft of crypto assets valued at more than $600 million. The team also outlined measures aimed at increasing the project’s security.

We have put together a postmortem regarding the Ronin exploit that occurred on March 23rd.

• Why it happened
• What we’re doing to make sure this never happens again
• Ronin bridge re-opening updatehttps://t.co/FfwCtCG84E

— Ronin (@Ronin_Network) April 27, 2022

On 23 March 2022, Ronin was hacked — the hacker drained 173,600 ETH and 25.5 million USDC from the project’s cross-chain bridge.

As a result of a phishing attack on one of Sky Mavis’s employees (the company behind Axie Infinity), the attacker managed to gain access to the company’s infrastructure and the Ethereum-sidechain validators.

At that time Sky Mavis controlled four of nine validators — this was not enough for unauthorized withdrawals. However, the exploit tied to the gasless RPC node on Ronin allowed the hacker to seize the Axie DAO validator’s signing authority.

«This relates to the incident that occurred in November 2021, when Sky Mavis sought help from Axie DAO to distribute gasless operations due to high user demand. Axie DAO allowed Sky Mavis to sign transactions on its behalf. This practice was discontinued in December 2021, but access was not revoked», — explained the developers.

The team stressed that the vulnerability was closed by adding two additional validators. Over the next three months, their number would be increased to 21, with a long-term goal of 100 nodes.

According to the developers, they were unable to detect the attack in time because Ronin had a weak system for monitoring large outflows from the cross-chain bridge address. To close this gap, the team enlisted CrowdStrike, Polaris Infosec and other security-focused firms.

The developers also stated that their aim is to implement a zero-trust architecture. This framework posits that Sky Mavis is continually exposed to external and internal threats, and therefore verifies and authorises every connection.

The team noted that they are working on launching the Ronin Bridge and expect to open the cross-chain bridge in mid- or late May.

In April 2022, Sky Mavis launched a bounty programme to search for vulnerabilities. The rewards for discovered bugs in the blockchain and smart contracts range from $1,000 to $1 million depending on severity.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, rates and analysis.