Explained: The Ronin Hack (March 2022)

In March 2022, the Ronin Network was the victim of one of the largest DeFi hacks to date, according to Sky Mavis, makers of the blockchain NFT game Axie Infinity.  The attackers stole approximately 173,600 ETH and 25.5 million USDC for a total value of approximately $624 million.

Inside the Attack

The Ronin Network attack was extremely stealthy.  In fact, the hack wasn’t noticed until six days after it occurred when the project team was notified by a user that they couldn’t withdraw about 5k ETH from the project’s bridge.  Further investigation discovered the largest hack in DeFi history to date.

The Ronin Network hack was made possible by compromised private keys.  The Ronin Network uses a set of nine validator nodes to approve transactions on the bridge, and a deposit or withdrawal requires approval by a majority of five of these nodes.  The attacker gained control of four validators controlled by Sky Mavis and a third-party Axie DAO validator that signed their malicious transactions.

In November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf as part of an effort to help Sky Mavis copy with an overwhelming load of free transactions.  While the program expired the following month, the allowlist was never revoked, meaning that Sky Mavis could still generate signatures for Axie DAO.

The attacker compromised Sky Mavis systems and then exploited this allowlist to generate a signature from the third-party validator controlled by Axie DAO.  Sky Mavis includes a gas-free RPC node that was used to get this fifth signature.

With access to Sky Mavis systems, the attacker had the ability to generate valid signatures for five Ronin Network validators.  With this access, they authorized two withdrawals, draining 173,600 ETH and 25.5 million USDC from the Ronin bridge contract.

Lessons Learned From the Attack

This hack was made possible by a few different errors in the Ronin Network, including:

• Lack of Decentralization: The Ronin Network is controlled by nine validators of which four are owned by Sky Mavis. A fifth validator – all that was needed to approve transactions – was accessible to them through a program that was not properly terminated.  Therefore, Ronin Network was a completely centralized network at the time of the hack.

• Excessive Permissions: To handle high load, the Ronin Network set up a temporary fix that delegated the signing power of a third-party validator to Sky Mavin.  When this program ended, the delegated privileges were never revoked, allowing them to be abused at any time.

• No Monitoring: Sky Mavis did not have monitoring in place that could detect the theft of $624 million in tokens from their systems.  The breach was only discovered as the result of a user report that the bridge lacked funds.

Sky Mavis prioritized the performance of the Ronin Network over its security and ignored fundamental security best practices such as least privilege and the importance of monitoring.  As a result, it suffered the largest hack in DeFi history.