DeFi's Largest Attack: What happened to Axie Infinity's Ronin Network
How did this occur?
Published on:
You know it's a big deal when Etherscan labels your address.
On March 29, 2022, Axie Infinity reported a loss of over $625 million USD caused by an attack on the Ronin network.
The attacker used hacked private keys to withdraw this eye-popping amount in two transactions, one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC)—one of the largest hacks in the history of decentralized finance (DeFi).
But how did this happen?
Our article explores the circumstances that paved the way for such an attack.
What is Axie Infinity?
Axie Infinity is a game where players collect creatures known as Axies. Each of the individual Axies is represented by a nonfungible token (NFT); as players collect the Axies, they can mint their NFTs and potentially earn an investment. The Axie NFTs can also be exchanged for fiat currency on the game’s marketplace.
Axie Infinity operates on a sidechain known as the Ronin network.
What is a sidechain?
A sidechain is a separate blockchain that runs parallel to its parent chain, also known as the main chain; it operates independently from the parent chain and has its own consensus algorithm.
It’s tied to the parent chain by a two-way bridge that allows assets to be exchanged between the chains.
The Ronin network uses an Ethereum-linked bridge to execute transactions for Axie Infinity. Users of Axie Infinity transfer assets they have on the Ethereum blockchain via the Ronin network in order to play the game.
How did the Ronin network attack occur?
The Ronin sidechain has nine validators and a system that requires five signatures, known as a multisig system, to verify deposits and withdrawals.
In order to recognize a deposit or a withdrawal, five of the nine validator signatures are needed.
The attacker managed to get control of four validators and a third-party remote procedure call (RPC) node run by the Axie DAO. Through this gas-free RPC node, the attacker exercised a backdoor to get the signature for the Axie DAO validator.
What is an RPC node?
RPC nodes allow developers to communicate with servers between two separate networks and execute code from remote locations. They are a central part of popular blockchains like Ethereum.
Why did Ronin’s multisig system fail?
The separation of signatures to multiple entities is a common pattern used to protect against these types of attacks.
Security in DeFi is a multi-layered assessment of risk, and it’s critical in a multisig system that the signatures are held by separate individuals or entities—preferentially ones with vested incentives not to collude together on the key.
Ronin used a different approach. Four of the nine validators were held by Sky Mavis, the blockchain gaming platform that created the Ronin network.
The attacker gained access to their centralized server where these multisig keys were stored. They only needed one more multisig to authorize a withdrawal transaction in the protocol.
What was the fatal flaw that ultimately caused the Ronin network attack?
The critical break was when the Axie DAO validator, one of the other five multisig holders, lent out their multisig to Sky Mavis in November 2021, so Sky Mavis could authorize some transactions quickly to reduce user and network load.
The Axie DAO validator received control of the multisig a month later, but the multisig was never removed from Sky Mavis systems.
The hacker found all of the 5 multisigs they needed to sign off on a transaction were present when they breached the Sky Mavis servers.
Final thoughts
This attack illuminates several flaws in centralized cross-chain bridge solutions.
A low number of validators with a near majority that belongs to one entity greatly increases the surface area of risk.
The attack did set off alarms and action from multiple organizations. Ronin temporarily paused the Ronin bridge and their decentralized exchange (DEX) Katana to prevent further attack vectors. Block explorers like Etherscan annotated the hacker's wallet, and Binance disabled their bridge to and from Ronin as a precaution.
Most of the hacked funds are still in the attacker's wallet.
This is a historic attack in the history of DeFi, and DeFi protocols ought to quickly adapt. It's critical to assess not just security flaws in the code, but the infrastructure and social components when evaluating DeFi security risk.
Future DeFi protocols should carefully consider these dimensions of risk when evaluating multisig or threshold signature schemes.
About TaxBit
Keeping up with all the paperwork and reporting regulations for digital asset transactions can be laborious and time-consuming. The more complex your crypto portfolio becomes, the more complicated your tax liabilities can get.
TaxBit helps track your crypto transactions and fills out your tax forms automatically.
We also recognize the need to support your DeFi activity, and each day we're actively working on expanding DeFi support to popular blockchains.
The initial version of our DeFi support allows you to sync in any transfers, trades, and approvals you’ve made on a DeFi platform involving ERC-20 tokens on the Ethereum network, or BEP-20 tokens on the Binance Smart Chain network.
With our Plus+ and Pro plans, you'll have access to full NFT and DeFi Centers where you can see your actual NFTs, DeFi positions, and a corresponding performance analysis.
Ready to try out the updates for yourself? Create an account or login to start.
