Axie Infinity Ronin Bridge Unauthorized Treasury Access

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Axie Infinity

Axie Infinity is a play-to-earn game with $4b in NFT sales. Rather than set up a proper multi-signature wallet, the keys were split between a small number of validators, and additional access was available for someone who no longer needed it. A hacker managed to gain access to 5 of the 9 keys and made off with $625m worth of Ethereum and USDC.

This is a global/international case not involving a specific country.

About Axie Infinity

"Axie Infinity is a NFT-based online video game developed by Vietnamese studio Sky Mavis, which uses Ethereum-based cryptocurrency AXS (Axie Infinity Shards) and SLP (Smooth Love Potion)." The "Axie Infinity game universe filled with fascinating creatures, Axies, that players can collect as pets. Players aim to battle, breed, collect, raise, and build kingdoms for their Axies. The universe has a player-owned economy where players can truly own, buy, sell, and trade resources they earn in the game through skilled-gameplay and contributions to the ecosystem."

"There are and will be many varied games experiences for Axies. Many of them will have players compete with each other using complex strategies and tactics to attain top rankings or be rewarded with coveted resources. Others will have them complete quests, defeat bosses, and unlock in-depth storylines."

"Ronin is a blockchain protocol linked to Axie Infinity, a popular play-to-earn game with $4 billion in NFT sales that sees over 2.8 million players logging on each day."

"The developer behind @AxieInfinity built a "side chain" (the @Ronin_Network)." "The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed."

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed." "[B]ack [in] November 2021 Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked." "The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but [there was] a backdoor through [a] gas-free RPC node, which [could be] abused to get the signature for the Axie DAO validator."

"Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC." "There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals." "The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."

"The hacker took over four of Sky Mavis' validator nodes and one from Axie DAO, enabling access to the crypto and eventually the massive theft. Sky Mavis said it has since replaced all of its validators and is working to reimburse the stolen funds."

"The attacker used hacked private keys in order to forge fake withdrawals." "Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO." "Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators."

Funds stolen in the crypto hack include "deposits of players and speculators and the Axie Infinity Treasury revenue," Larsen said. "The heist, which wasn't detected until almost a week after it occurred, is believed to be one of the biggest in the history of crypto and highlights the sector's immense risks."

"The easiest way to look at this is like the bridge is the bank for the Ronin Network," Larsen said. "The heist that happened took out all the ETH and USDC. So the ETH/USDC on Ronin Network is not currently backed by anything. But we are looking at other options."

"We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. We are in the process of migrating our nodes, which is completely separated from our old infrastructure."

"We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained."

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses." "Binance has resumed withdrawals for Axie Infinity Shards (AXS) and Smooth Love Potion (SLP)."

"We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed," Ronin Network wrote. "The attacker used hacked private keys in order to forge fake withdrawals."

"Max Galka, CEO of crypto forensics firm Elementus, pointed to the lapsed DAO deal as a major oversight, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains." "The hacker exploited a key oversight here to drain millions in tokens, said @galka_max, CEO of @elementus_io. (@BusinessInsider)" "@galka_max pointed to the lapsed DAO deal as a major mistake, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains. (@BusinessInsider, @MktsInsider)" "They never removed what was meant to be a temporary measure. It was an outright error," he told Insider.

"It was pure human error," @amber_ghaddar said. "If consumers aren't protected from things like this, the industry is going to fail," she said. (@BusinessInsider)"

"It's a cybersecurity issue, not a cryptocurrency issue," @ARedbord said. "The government is calling for crypto regulation, but really what would help is a hardening of cyberdefenses, rather than focusing on crypto." (@BusinessInsider)

"Solutions could include funding for additional intelligence tools as well as more robust and pervasive cybersecurity networks, @trmlabs said. @amber_ghaddar added that educational outreach could be beneficial too. (@BusinessInsider)"

"We need to focus on building out a trust layer in the crypto economy—anti-money laundering infrastructure, compliance controls, cybersecurity—so that people will interact with this new online financial system," @ARedbord said.

"Sky Mavis announced a 150 million USD funding round led by Binance with participation from Animoca Brands, a16z, Dialectic, Paradigm. The round combined with Sky Mavis and Axie balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed. The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks. Sky Mavis is in the process of implementing rigorous internal security measures to prevent future attacks."

"The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury. We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."

"Moving forward, the [multisig] threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline."

"The last 8 days have been the hardest stretch of our four-year journey. Thank you for your bravery, kindness, prayers, and words of support. You’ve been a constant source of energy and inspiration for us as we’ve worked tirelessly to resolve the Ronin breach."

"Binance, the world's largest cryptocurrency exchange, has recovered nearly $6 million from a North Korean group suspected to be behind a $620 million hack of the popular play-to-earn game Axie Infinity."

"The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered," he wrote, referring to the Democratic People's Republic of Korea.

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Axie Infinity Ronin Bridge Unauthorized Treasury Access
Date	Event	Description
March 23rd, 2022 7:29:09 AM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $625,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $5,800,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

A proper multi-signature storage has all keys offline and held by separate individuals. To store all funds in a hot wallet setup, with limited independence between the validators is significantly less secure, as was demonstrated here.