March 30th, 2022
In March 2022, the Ronin Network was the victim of one of the largest DeFi hacks to date, according to Sky Mavis, makers of the blockchain NFT game Axie Infinity. The attackers stole approximately 173,600 ETH and 25.5 million USDC for a total value of approximately $624 million.
The Ronin Network attack was extremely stealthy. In fact, the hack wasn’t noticed until six days after it occurred when the project team was notified by a user that they couldn’t withdraw about 5k ETH from the project’s bridge. Further investigation discovered the largest hack in DeFi history to date.
The Ronin Network hack was made possible by compromised private keys. The Ronin Network uses a set of nine validator nodes to approve transactions on the bridge, and a deposit or withdrawal requires approval by a majority of five of these nodes. The attacker gained control of four validators controlled by Sky Mavis and a third-party Axie DAO validator that signed their malicious transactions.
In November 2021, Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf as part of an effort to help Sky Mavis copy with an overwhelming load of free transactions. While the program expired the following month, the allowlist was never revoked, meaning that Sky Mavis could still generate signatures for Axie DAO.
The attacker compromised Sky Mavis systems and then exploited this allowlist to generate a signature from the third-party validator controlled by Axie DAO. Sky Mavis includes a gas-free RPC node that was used to get this fifth signature.
With access to Sky Mavis systems, the attacker had the ability to generate valid signatures for five Ronin Network validators. With this access, they authorized two withdrawals, draining 173,600 ETH and 25.5 million USDC from the Ronin bridge contract.
This hack was made possible by a few different errors in the Ronin Network, including:
Sky Mavis prioritized the performance of the Ronin Network over its security and ignored fundamental security best practices such as least privilege and the importance of monitoring. As a result, it suffered the largest hack in DeFi history.