Decentralized finance (DeFi) networks are increasingly becoming a target of prime interest to cyber criminals, due to a variety of unique vulnerabilities. This phenomenon has once again been illustrated by a breach of the Ronin network, with the perpetrators attacking a bridge between it and the popular NFT game “Axie Infinity.”
All told the heist netted the equivalent of $625 million in Ethereum and other coins, making it one of the largest DeFi thefts to date.
NFT game permissions abused to steal Ethereum
The breach was confirmed by Axie Infinity operator Sky Mavis on March 29. The group says that its investigation is ongoing, but there are signs that it was the result of social engineering rather than a vulnerability in code. They also said that they are certain it was an external attack without any insider involvement. The Ronin bridge and the associated Katana Dex decentralized exchange have been temporarily halted as the investigation takes place. Transactions have also been halted on the Ronin network during this time.
All told the Ronin network was hit for 173,600 Ethereum and 25.5 million USD Coin (USDC), a coin that is pegged to the US dollar. Sky Mavis says that the majority of the funds are still in the hacker’s wallet and that there are efforts underway to recover them. In cases like this, that usually means reaching out to the hacker and offering them a “reward” of some millions of dollars for returning the stolen money and spinning the whole thing as a “security demonstration” of some sort, though Sky Mavis has said that they are actively working with law enforcement agencies. The group has also engaged chain security tracing firm Chainalysis.
Axie Infinity is an NFT game that was released in 2018 and exploded in popularity in recent months, becoming the first of these types of games to exceed $4 billion in sales. The game roughly resembles Pokemon, with users purchasing NFT-linked creatures (which generally start at around $25) to train and engage in battles with other players. Prior to the breach the game had been considered one of the biggest success stories in the crypto world.
The vulnerability that was exploited was essentially a tried-and-true classic that plagues workplaces everywhere; some outdated Sky Mavis accounts with dangerous permission levels were never deactivated and were floating around waiting to be taken over by enterprising hackers. In this case, it involved a set of administrative accounts created in November 2021 to temporarily handle workload as the NFT game saw its biggest surge of new users to date. The accounts were no longer in use as of December 2021, but were never deactivated.
Ronin network’s unique “validation node” system exploited in attack
Major blockchains like Bitcoin and Ethereum tend to be secured by a “proof of work” system, the standard since Bitcoin debuted in the late 2000s. Ronin network uses an alternative called “proof of stake” that requires less energy, but depends on validator nodes to keep the system secure. The attacker was able to leverage the accounts stolen from the NFT game to take over five of the nine nodes, allowing them use private keys to authorize fake transactions. Four of the validators were run by the Ronin network, with the fifth (creating the necessary majority) belonging to the operators of the NFT game.
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, expands on the difference between some of the “proven” names in crypto and the more experimental DeFi newcomers: “It’s critically important that cryptocurrency investors recognize that while the most popular of the coins based on blockchain technology like Bitcoin and Ethereum have so far proven resilient to direct attacks, any entities that are built on top of those technologies or third parties like exchanges often do not have near the security that backs the blockchains themselves and are increasingly popular targets of attacks by cybercriminals. There are a lot of perverse incentives at play in these situations as well. First, you have developers who are racing to enable more convenient ways to manage or trade cryptocurrencies, and this speed can lead to mistakes or oversights that expose their customers to loss from cyberattacks. Next, the large amounts of money involved is just astronomical. These platforms and services often house or process multiple millions of dollars in coin value. This is an incredibly powerful incentive for the smartest hackers on earth to target them looking for any potential oversight or vulnerability that could net them unimaginable wealth if successfully exploited. Finally, this is a market that has been marred by fraudulent activities from almost every conceivable source, so it’s not out of the question that the developers or platform operators themselves finding themselves with the keys to controlling vast amounts of money could themselves be perpetrators of the attacks.”
Part of the appeal of decentralized finance to consumers is the complete lack of government regulation and involvement, but that also makes it difficult to verify details of attacks like these. And those that lost their Ethereum have little hope for recovering it save for Ronin network managing to broker a deal with the hackers to have it returned or opts to cover its patrons losses.
The Axie NFT game will most likely roll on given the volume of player interest, but it is temporarily at something of a halt as new players cannot register and existing players cannot exchange their virtual creatures. Money was not taken from the game itself, which may bolster the confidence of players that sometimes invest hundreds of thousands of dollars in the game. The average price of an entry-level “Axie” is rising to close to $100, and players have spent as much as $820,000 on an individual creature.
Another controversial aspect of the incident is that some crypto traders and security researchers appear to have noticed that the NFT game was breached long before Ronin network did, and instead of disclosing this information opted to take a short position in trading to take advantage.