Hack Track: Analysis of Ronin Network Exploit
Merkle Science
[Update 2022.04.18]
On April 14, 2022, the U.S. Department of Treasury’s Office tied the North Korea-based hacking group, Lazarus, to the Ronin Network exploit. The Office of Foreign Assets Control (OFAC) added an Ethereum wallet address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96) associated with Lazarus to its sanctions list. The sanctioned wallet address contains funds stolen in the Ronin security breach. At the time of the publication, the wallet holds 138,433.136 ETH valuing close to $402 million. The Ronin Bridge was exploited for 173,600 ETH and 25.5 million USDC, worth around $568 million at the time of the transaction.
The North Korean state-sponsored Lazarus group, has been associated with several major cyberattacks over the years, including a 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks. The OFAC first imposed sanctions on Lazarus and two of its sub-groups Bluenoroff and Andariel in September 2019. In the announcement, the U.S. Department of Treasury stated Lazarus and its sub-groups are controlled by North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB).
In its official update, the Ronin Network confirmed that the FBI has linked Lazarus to its validator security breach. Additionally, the Ronin Network also stated that it is “still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk.” The bridge is expected to be deployed by end of April.
Around $568 million worth of crypto has been stolen from the Ronin Network, the blockchain underlying the popular crypto game Axie Infinity. The amount lost is calculated based on the ETH/USD price conversion rate on the date of the transaction — March 23, 2022. On March 29, 2022, Sky Mavis, the creator of both Ronin and Axie Infinity, reported that the Ronin bridge had been exploited for 173,600 Ethereum (ETH) and 25.5 million USDC
Axie Infinity is a blockchain-based game that lets users collect and breed digital creatures called “Axies.” In contrast to traditional pay-to-play games, Axie Infinity allows players to earn money by selling their Axie NFTs to other users. In Axie Infinity, players deposit ETH or USDC to Ronin and use that to purchase non-fungible tokens (NFTs) or in-game currency.
Built by Sky Mavis, Ronin Network is an Ethereum-linked sidechain made specifically for Axie Infinity. A sidechain is a separate blockchain that is linked to another blockchain, which is the main or parent blockchain, via a two-way peg. The two-way peg enables the interchangeability of assets at a predetermined rate between the parent blockchain and the sidechain. Sidechains usually have their own separate consensus mechanism that allows them to improve their privacy, security, or scalability. Sidechains can also act as bridges. Unlike a bridge that links two completely different blockchains, a sidechain bridge connects a parent blockchain to its child. In this case, Ethereum is the parent blockchain and Ronin is the child. Because the parent and child operate under different consensus rules, communication between them requires a bridge
Of late, the attacks on bridge platforms are on the rise. The Ronin exploit follows the Wormhole bridge attack, which took place in February 2022. In the Wormhole attack, the attacker had siphoned 120,000 Wrapped Ether (wETH) tokens worth over $320 million at the time. Prior to that, the Qubit Finance attack happened, wherein Qubit’s ETH-BSC bridge was exploited. The attacker took advantage of a logical error in Qubit’s smart contract to input malicious data to steal $80 million worth of cryptocurrency.
Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than the other protocols. Additionally, bridges are more susceptible to attacks as they are run by unaudited computer codes. Moreover, the identities of validators/nodes, who run the transactions are also unknown. Kelvin Fichter, a developer at Plasma Group, explained that Ronin was heavily dependent on validator-based bridges which he termed a “Fundamental error”. Fichter also pointed out that the network’s “minimal monitoring and alerting” system provided the attacker a solid ground to launch their attack.
What happened?
Ronin Network posted a preliminary analysis of the attack. Although the breach happened on March 23, 2022, it was discovered only on March 29, 2022. The attack was discovered after a user was unable to withdraw 5,000 ETH from the bridge. “The fact that nobody notices for six days screams aloud that some structure should be in place to watch illicit transfers,” said Wilfred Daye, head of Securitize Capital, the asset-management arm of Securitize Inc.
According to Ronin’s analysis, the attack was conducted on the Ronin bridge’s pool of funds. Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 ETH and 25.5M USDC being drained from the Ronin bridge in two transactions. The attacker used hacked private keys in order to forge fake withdrawals through two specific transactions:
- Transaction 1: the attacker transferred 173,600 Wrapped Ethereum (WETH)
- Transaction 2: the attacker transferred 25,500,000 USDC
Validator nodes are a feature of proof-of-stake blockchains like Ronin, which are less energy-intensive than proof-of-work systems like Bitcoin. These validator nodes review new transactions to confirm that their inputs and outputs match and that the authorization signatures are valid.
Using a smaller number of nodes is faster and more efficient, but as the hack shows, it can create security risks if a majority of the nodes are compromised. Currently, the Ronin chain currently consists of 9 validator nodes. To recognize a Deposit event or a Withdrawal event, i.e. to move funds, only 5 out of 9 validator signatures are needed. The attacker managed to get control over five validator private keys — 4 Sky Mavis validators and 1 Axie DAO. Axie DAO is a third-party validator.
In this case, 4 out of 9 validators were controlled by Sky Mavis. This is indicative of weak security practice, according to Kevin Fletcher; no single entity should be running a significant number of nodes by itself. Moreover, the fact that the attacker somehow managed to compromise the 4 keys that were held by Sky Mavis also stands out.
Ronin’s analysis states that the attacker found a backdoor through their gas-free RPC node, which they abused to get the signature for the Axie DAO validator. In November 2021, to relieve an immense user load on its network and to speed up transaction time, Sky Mavis asked Axie Dao if it could authorize transactions on its own behalf. Axie Dao, in turn, allows listed Sky Mavis to sign various transactions on its behalf. Though the system was discontinued in December, the permissions that allowed it was never revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
Next steps and remedial actions were taken by Sky Mavis
Sky Mavis says it will increase the validator threshold from 5 to 8 and it will reopen the Ronin bridge at a later date once it’s sure that no more funds can be drained. For now, Sky Mavis is in the process of migrating its nodes, separating them from the old infrastructure.
Sky Mavis has also temporarily paused the Ronin bridge to ensure no further attack vectors remain open. Additionally, Binance has also disabled their bridge to and from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained. Sky Mavis has also temporarily disabled Katana decentralized exchange (DEX) due to its inability to arbitrage and deposit more funds to Ronin Network. Ronin’s DEX Katana allows users to swap between various assets in the Axie Infinity ecosystem. Lastly, Sky Mavis has assured its users that it is working closely with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed
Merkle Science’s on-chain analysis
According to Merkle Science’s analysis, on March 29, 2022, the Ronin Bridge was exploited for 173,600 ETH and 25.5 million USDC, worth around $568 million at the time of the transaction. The stolen crypto was transferred to the attacker’s wallet address: 0x098B716B8Aaf21512996dC57EB0615e2383E2f96. On March 23, 2022, before the attack, the attacker's wallet had received 1.065 ETH from a popular global exchange (E1 in the diagram below).
Though most of the funds are still sitting in the attacker's wallet, some funds have been sent to prominent crypto exchanges. Thus far close to $21 million in ETH has already been moved out of the attacker’s wallet. Around 3749.92 ETH ($12.82 million) has been transferred to another popular global exchange (E2 in the diagram below). In addition, 0.99 ETH ($3,400) has been transferred to prominent exchange E3. Further, 1219.961 ETH ($4.17 million) has been sent to another famous exchange E4. The remaining $5 million worth of crypto has been transferred to unidentified wallets that most likely belong to the attacker.
Figure 1: Analysis of the movement of funds from the attacker’s address