Sky Mavis’ Ronin Blockchain Cyber Attack

The Ronin Networks blockchain system was created by Sky Mavis for the play-to-earn game Axie Infinity. A Sky Mavis employee downloaded a PDF file with spyware hidden inside, resulting in one of the biggest cryptocurrency thefts ever. The company lost 173,600 ETH and 25.5 million USDC (around $540 million at the time of the incident).

About Axie Infinity and Ronin Networks

Axie Infinity is an online video game in which players earn cryptocurrency with the help of fantastic creatures known as “axies” which can be “bred,” used in competitions, and sold to other players. To players, axies look like cuddly animals, but they are essentially non-fungible tokens (NFTs).

Released in 2018, Axie Infinity soon gained a wide audience. At its peak, players could earn so much that for some in South East Asia it became a full-time job. In its record-breaking November 2021, the game had a daily player count of 2.7 million and revenues last year hit $215 million per week (by the summer of 2022, however, they had dipped to a modest $1 million per week).

How did the attack happen?

The cybercriminals used the malware to gain access to the private keys of network validators, that is, nodes that verify and confirm cryptocurrency transactions. There were nine such validators in Ronin Networks at the time of the attack, and to carry out the transfer, at least five of them had to approve it. Eventually, the attackers managed to compromise four validators at the company itself and a fifth in the decentralized autonomous organization Axie DAO, where it would (and should) not have been, were it not for an oversight on the part of Sky Mavis itself.

In November 2021, due to the high volume of transactions and load on the validators, the company allowed Axie DAO to approve transfers. After a month, the load decreased, and Axie DAO’s assistance was no longer required — but the rights to approve transactions were not withdrawn, which played into cybercriminals’ hands. Having penetrated the Sky Mavis system, the hackers also gained access to Axie DAO, which provided the fifth validator needed to withdraw funds from others’ accounts to their own.

The Ronin network hack took place on March 23, but it wasn’t discovered for days. It was ultimately disclosed on March 29. The attacker stole 173,600 Wrapped Ethereum (WETH) and 25.5 million USDC stablecoins, which were collectively worth about $622 million at the time of disclosure, but $552 million when the attack took place.

Ultimately, the attackers drained the funds via the bridge that connects Ronin to the Ethereum main net, using hacked private keys to gain control of five of the network’s nine total validators to sign fraudulent transactions and transfer the funds.

Users can withdraw one Ether for each one they held in March once the bridge reopens, a spokeswoman for Sky Mavis said in a statement. The 56,000 Ether tokens missing from the Axie Infinity-related DAO, or decentralized autonomous organization’s treasury, will remain uncollateralized. 

Sky Mavis pledged in March to reimburse online participants who lost funds. The firm raised $150 million in a funding round led by crypto exchange Binance in April. At the time, the firm said it planned to use the money and Sky Mavis’s and Axie Infinity’s resources to reimburse Ronin bridge users.

Sky Mavis’s views on the cyber attack

“The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed. The Ronin Network bridge will open once it has undergone a security upgrade and several audits,” Sky Mavis said. Leading the funding round was Binance, which will also be allowing ETH withdrawals and deposits for Axie Infinity users. 

“The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds.” “If the funds are not fully recovered within two years, the Axie DAO will vote on the next steps for the Treasury,” the company said. He further added, “We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction.”

The situation after the incident

Sky Mavis has called for the responsible disclosure of security vulnerabilities that may affect its operations and users.“While researching, we’d like to ask you to refrain from doing automated testing, denial of service, spamming, spoofing, and phishing. Performing further attacks once you have proof of Remote Control Execution (RCE) attacks may have your bounties forfeited,” the policy section of the bug bounty program read.

“Only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.” “Determination of whether a reported issue sufficiently meets the bar for monetary rewards is done at Sky Mavis’ discretion,” the blog added.

The hack attack on the Ronin Network was discovered by Sky Mavis on March 23, making for the largest-ever loot to have been extracted out of a blockchain hack. The attacker had cracked the control of Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO (decentralized autonomous organisation). A legal investigation is underway in the case. Sky Mavis has, meanwhile, raised $150 million in a recent funding round led by crypto exchange Binance. The funds will be used to reimburse victims of the Ronin attack. Overall, cybercriminals, last year stole over $1.3 billion from hacking the blockchain sector, a report by blockchain research firm CertiK claimed in January.