Understanding the Ronin Network Exploit

4 min read

Learn how the Ronin Network was exploited, resulting in a loss of approx. $624 million.

TL;DR#

On March 23, 2022, the Ronin Network was exploited as a result of a private key compromise, which resulted in a loss of 173,600 ETH and 25.5 million USDC, totaling approximately $624 million.

Introduction to Ronin Network#

Ronin is an EVM blockchain crafted for developers building games with player-owned economies.

Vulnerability Assessment#

The root cause of the vulnerability is due to the compromise of the private key, which was effectively exploited by the hackers to forge fake withdrawals in order to steal the funds out of the Ronin Bridge.

Attack Scenario#

Ronin was launched to offer the quick and affordable transaction throughput required for a P2E game to function. In order to maximize transactions per second, a Proof of Authority model was adopted, where nine validators staked their reputation rather than processing any power or funds.

Out of the nine validators, four were operated by Sky Mavis. A consensus of five validators is necessary to approve the deposit and withdrawal transactions. This meant that in order to gain control of the entire network, one more signature was required.

The post-mortem report points to the vulnerability that allowed the attacker to gain control of the fifth signature, but it doesn't provide details on how the Sky Mavis validators were compromised.

The attacker gained access to the fifth validator due to an earlier arrangement between Sky Mavis and the Axie DAO. A gas-free RPC node was set up to help customers save costs during a period of substantial network traffic when the price of the AXS token was at its peak.

Sky Mavis validators have to be approved by the Axie DAO to sign transactions on their behalf. Although the arrangement was supposed to last for around a month, the whitelist access was never revoked, allowing the attacker who had compromised Sky Mavis validators to use the additional signature of Axie Dao to approve transactions.

As viewed from two of the attack transactions, the exploiter first drained approximately 173,000 ETH and then 25.5 million USDC from the Ronin bridge contract. The stolen funds were transferred across multiple addresses on different chains in order to create a mesh-like topology to complicate the chase.

Aftermath#

Following the exploit, the team acknowledged the occurrence of the event and stated that they were in contact with law enforcement officials, forensic cryptographers, and their investors to make sure that all funds are recovered or reimbursed.

Later, the threshold to approve transactions was set to eight out of nine validators.

Proof of Concept#

We have created a proof of concept about the underlying hack using Foundry. The details surrounding the attack can also be viewed in this GitHub gist.

Solution#

While no security protocol is entirely foolproof, the application of rigorous and consistent security standards can significantly mitigate the risks associated with attacks on DeFi protocols. This entails proactively identifying and addressing potential attack vectors before malicious actors exploit them.

In the context of this specific Ronin Network exploit, there are several recommended measures. Using hardware wallets to store private keys offline is a strong line of defense, while multi-signature wallets with distributed signature validations can provide an added layer of protection. Cold storage, the practice of storing private keys on a machine not connected to the internet, is another recommended tactic to ward off phishing-style attacks.

Nevertheless, it's important to acknowledge that even with the most stringent security measures in place, vulnerabilities may still be exploited. This is where Neptune Mutual comes into the picture. In the event of such security incidents, having a dedicated cover pool set up with Neptune Mutual could have significantly reduced the aftermath of the attack on the Ronin Network. Neptune Mutual offers coverage to users who suffer losses of funds or digital assets due to smart contract vulnerabilities, thanks to their parametric policies.

Users who had purchased Neptune Mutual's parametric cover policies would not have needed to provide evidence of their loss in order to receive payouts. The payout could be claimed as soon as the incident was resolved through Neptune Mutual's incident resolution system, alleviating the financial strain resulting from the exploit. Currently, Neptune Mutual's marketplace operates on two popular blockchain networks, Ethereum and Arbitrum, making it widely accessible.

Furthermore, Neptune Mutual's security team could have provided an additional layer of protection by evaluating the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and a broad spectrum of other security considerations. This holistic approach to cybersecurity could have further reduced the likelihood and potential impact of such exploits.

Reference Source Ronin

By

Tags