Axie Infinity Ronin Bridge Unauthorized Treasury Access

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:10, 28 June 2023 by Azoundria (talk | contribs) (Another 30 minutes complete.)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Axie Infinity

Axie Infinity is a play-to-earn game with $4b in NFT sales. Rather than set up a proper multi-signature wallet, the keys were split between a small number of validators, and additional access was available for someone who no longer needed it. A hacker managed to gain access to 5 of the 9 keys and made off with $625m worth of Ethereum and USDC.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Axie Infinity

"Axie Infinity is a NFT-based online video game developed by Vietnamese studio Sky Mavis, which uses Ethereum-based cryptocurrency AXS (Axie Infinity Shards) and SLP (Smooth Love Potion)." The "Axie Infinity game universe filled with fascinating creatures, Axies, that players can collect as pets. Players aim to battle, breed, collect, raise, and build kingdoms for their Axies. The universe has a player-owned economy where players can truly own, buy, sell, and trade resources they earn in the game through skilled-gameplay and contributions to the ecosystem."

"There are and will be many varied games experiences for Axies. Many of them will have players compete with each other using complex strategies and tactics to attain top rankings or be rewarded with coveted resources. Others will have them complete quests, defeat bosses, and unlock in-depth storylines."

"Ronin is a blockchain protocol linked to Axie Infinity, a popular play-to-earn game with $4 billion in NFT sales that sees over 2.8 million players logging on each day."

"The developer behind @AxieInfinity built a "side chain" (the @Ronin_Network)." "The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed."

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed." "[B]ack [in] November 2021 Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked." "The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but [there was] a backdoor through [a] gas-free RPC node, which [could be] abused to get the signature for the Axie DAO validator."

"Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC." "There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals." "The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."

"The hacker took over four of Sky Mavis' validator nodes and one from Axie DAO, enabling access to the crypto and eventually the massive theft. Sky Mavis said it has since replaced all of its validators and is working to reimburse the stolen funds."

"The attacker used hacked private keys in order to forge fake withdrawals." "Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO." "Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators."




The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Axie Infinity Ronin Bridge Unauthorized Treasury Access
Date Event Description
March 23rd, 2022 7:29:09 AM MDT Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
March 29th, 2022 10:29:00 AM MDT Community Alert Posted The Ronin Chain publishes a community alert[17]. They report that Ronin Network has been hit by a security breach that compromised Ronin validators, leading to a theft of 173,600 Ethereum and $25.5m in USDC. The attacker used hacked private keys to forge fake withdrawals, taking advantage of a backdoor in the network's gas-free RPC node to obtain the signature from the Axie DAO validator. After discovering the attack, Ronin halted the Ronin bridge and Katana DEX and is working to recover or reimburse all funds, as well as collaborate with law enforcement officials and forensic cryptographers. Deposits of AXS, RON, and SLP on Ronin are still safe. The company is also increasing the validator threshold from five to eight to prevent future attacks. They reportedly became aware of the exploit that same day after a user reported that they were unable to withdraw 5,000 ethereum from the vault[18]. TBD revisit and follow any links in this post which weren't viewed yet.
March 29th, 2022 12:41:00 PM MDT Market Insider Article on Breach Market Insider publishes an article about the exploit. Market Insider reports that a hacker targeted Axie Infinity's Ronin Network, stealing $625 million worth of ether and USDC. The network is reported to have halted transactions on its Ronin Bridge and Katana Dex servers, and is working to recover or reimburse the stolen funds in collaboration with law enforcement officials, forensic cryptographers, and investors. The hack took place the previous Wednesday, with the attacker using hacked private keys to forge fake withdrawals. The native token of the Ronin network, RON, has fallen by 22% following the incident[19].
March 30th, 2022 1:28:00 PM MDT Community Alert Updated Axie Infinity updates their community to indicate they are continuing their investigations. They mention they are working with both Chainalysis to monitor the stolen funds and Crowdstrike to handle forensics and the setup of surveillance tools. They are certain that the attack was an external breach, and "[a]ll evidence points to this attack being socially engineered, rather than a technical flaw". They are "committed to ensuring that all of the drained funds are recovered or reimbursed" though they don't mention any plan and are presently just "continuing conversations". They will "continue to provide updates"[18].
March 31st, 2022 2:03:00 PM MDT Community Alert Updated Axie Infinity updates to indicate that they are continuing their investigation and don't have any more substantial information to share. They have had "various calls" with key stakeholders, law enforcement agencies, and major exchanges. All of the former Sky Mavis validators have been replaced. They are pushing forward a plan to add new validators to the Ronin Network in the coming weeks[18].
April 2nd, 2022 3:00:00 AM MDT Community Alert Updated Axie Infinity announces that Binance has resumed withdrawals for both Axie Infinity Shards (AXS) and Smooth Love Potion (SLP) from their exchange. Wrapped Ether transactions remain closed. The Ronin Bridge will be reopened, but a timeline is not known at this time[18][20].
April 2nd, 2022 8:03:00 AM MDT Market Insider Article Published Market Insider publishes an article about the exploit, and that it shouldn't stop adoption[21]. TBD expand with more details.
April 2nd, 2022 8:21:00 AM MDT Phil Rosen Twitter Timeline Published A series of analysis Tweets are published by blockchain researcher Phil Rosen. Twitter later publishes a special feature event timeline[22].
April 6th, 2022 4:01:43 AM MDT Funds Raised For Recovery Sky Mavis, the company behind Axie Infinity, announces they have raised $150 million in a funding round led by Binance. Other participants in the round included Animoca Brands, a16z, Dialectic, Paradigm, and Accel. The funds will be used to reimburse users who were affected by the Ronin Validator Hack, in which 173,600 Ethereum and 25.5 million USDC were drained from the Ronin bridge. The Ronin Network bridge will open again once it has undergone a security upgrade and several audits, which may take several weeks. Sky Mavis will increase its validator group to 21 validators within the next three months, which will be a mix of partners, community members, and long-term allies[1][23]. TBD analyze change from "people" to "unique addresses" in post.
April 6th, 2022 5:12:00 AM MDT Community Alert Updated Information about the funding round is also posted on the official community alert[18].
April 14th, 2022 9:19:20 AM MDT OFAC Publishes Sanction Notice The United States Office of Foreign Assets Control publishes an official sanction of the Ethereum blockchain address 0x098B716B8Aaf21512996dC57EB0615e2383E2f96, informing that the address has been added to the OFAC SDN list. They include various aliases for the Lazarus Group including "Appleworm," "APT-C-26," and "Hidden Cobra," among others. The group is located in the Potonggang District of Pyongyang, North Korea. The statement notes that there is a secondary sanctions risk under the North Korea Sanctions Regulations, sections 510.201 and 510.210, and that transactions with the group are prohibited for persons owned or controlled by U.S. financial institutions under section 510.214 [DPRK3][24][25].
April 14th, 2022 12:00:00 PM MDT Community Alert Updated The Ronin Chain provides an update to their community. They state the FBI has now attributed the attack to the Lazarus Group, based in North Korea, and that the address receiving the stolen ethereum has now been sanctioned by the US government. They promise to deliver a full post-mortem with details of security implementations by the end of the month[18].
May 27th, 2022 1:54:00 AM MDT Community Alert Updated The Ronin Chain provides an update to their community. They state that they've completed an audit by the external firm Verichains, as well as an "internal" audit they conducted themselves. They are also in the process of getting an external audit from CertiK which they expect will take 15 days[18].
June 21st, 2022 10:54:00 AM MDT Community Alert Updated The Ronin Chain publishes an update to their community. They state that the CertiK audit is now completed and came back with only minor suggestions. They will be implementing the suggestions and are still on track to relaunch in the same month[18].
June 23rd, 2022 10:37:00 AM MDT Community Alert Updated The Ronin Chain published an update to their community. The post included a plan to reopen the Ronin Bridge on June 28th with all user funds returned. This includes a software update to the validation system. Validators are reportedly already instructed on how to upgrade, and non-validators are provided instructions to upgrade[18].
June 28th, 2022 2:19:00 AM MDT Community Alert Updated The Ronin Chain published an update to their community. They report that the Ronin hard-fork which required all validators to update their software has been successful and the Ronin Bridge is still on track to be opened today[18].
June 30th, 2022 3:00:16 AM MDT New York Times Article The Axie Infinity hack is included in a New York times article titled "How North Korea Used Crypto to Hack Its Way Through the Pandemic", which discusses how North Korea has turned to cryptocurrency theft as a means of generating income and evading sanctions. The article specifically mentions the theft of $620 million in cryptocurrency from the video game Axie Infinity as a significant event that highlights the lucrative and relatively risk-free nature of cryptocurrency heists for North Korea. The article explains that North Korea, facing severe economic challenges due to UN sanctions and the COVID-19 pandemic, has resorted to trafficking weapons, illegal drugs, and counterfeit currency, as well as conducting cyberattacks to disrupt websites and steal from corporations and banks. The case of the Axie Infinity hack demonstrates North Korean hackers targeteinga popular blockchain-based video game where players could accumulate cryptocurrency by playing. The hackers used phishing attacks and other tactics to breach the game's security. The article suggests that this theft provided strong evidence of the growing trend of cryptocurrency heists as a means for North Korea to finance weapons development[26].

Technical Details

TBD

Total Amount Lost

Funds stolen in the crypto hack include "deposits of players and speculators and the Axie Infinity Treasury revenue," Larsen said. "The heist, which wasn't detected until almost a week after it occurred, is believed to be one of the biggest in the history of crypto and highlights the sector's immense risks."

The total amount lost has been estimated at $625,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

"The easiest way to look at this is like the bridge is the bank for the Ronin Network," Larsen said. "The heist that happened took out all the ETH and USDC. So the ETH/USDC on Ronin Network is not currently backed by anything. But we are looking at other options."

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. We are in the process of migrating our nodes, which is completely separated from our old infrastructure."

"We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained."


"We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed," Ronin Network wrote. "The attacker used hacked private keys in order to forge fake withdrawals."

"Max Galka, CEO of crypto forensics firm Elementus, pointed to the lapsed DAO deal as a major oversight, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains." "The hacker exploited a key oversight here to drain millions in tokens, said @galka_max, CEO of @elementus_io. (@BusinessInsider)" "@galka_max pointed to the lapsed DAO deal as a major mistake, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains. (@BusinessInsider, @MktsInsider)" "They never removed what was meant to be a temporary measure. It was an outright error," he told Insider.

"It was pure human error," @amber_ghaddar said. "If consumers aren't protected from things like this, the industry is going to fail," she said. (@BusinessInsider)"

"It's a cybersecurity issue, not a cryptocurrency issue," @ARedbord said. "The government is calling for crypto regulation, but really what would help is a hardening of cyberdefenses, rather than focusing on crypto." (@BusinessInsider)

"Solutions could include funding for additional intelligence tools as well as more robust and pervasive cybersecurity networks, @trmlabs said. @amber_ghaddar added that educational outreach could be beneficial too. (@BusinessInsider)"

"We need to focus on building out a trust layer in the crypto economy—anti-money laundering infrastructure, compliance controls, cybersecurity—so that people will interact with this new online financial system," @ARedbord said.

Ultimate Outcome

The wallet with the stolen Ethereum was placed on the OFAC sanction list.

Movement of Stolen Funds

"The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered," he wrote, referring to the Democratic People's Republic of Korea.

OFAC Sanction Notice

On April 14th, 2022, The US Department of the Treasury updated their SDN to include the wallet address with the stolen Ethereum from this attack. They issued a statement informing that changes have been made to OFAC's SDN List (a list of people and entities that are sanctioned by the US government). Specifically, the entry for the Lazarus Group has been updated to include the digital currency address, ETH 0x098B716B8Aaf21512996dC57EB0615e2383E2f96. The Lazarus Group is also known by various aliases, including "Appleworm," "APT-C-26," and "Hidden Cobra," among others. The group is located in the Potonggang District of Pyongyang, North Korea. The statement notes that there is a secondary sanctions risk under the North Korea Sanctions Regulations, sections 510.201 and 510.210, and that transactions with the group are prohibited for persons owned or controlled by U.S. financial institutions under section 510.214 [DPRK3][24][25].

Raising Funds For Reimbursement

"Sky Mavis announced a 150 million USD funding round led by Binance with participation from Animoca Brands, a16z, Dialectic, Paradigm. The round combined with Sky Mavis and Axie balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed."

Resumption of Withdrawals

"Binance has resumed withdrawals for Axie Infinity Shards (AXS) and Smooth Love Potion (SLP)."

Increasing Strength of Multi-Sig Wallet

"Moving forward, the [multisig] threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline."

Additional Auditing Going Forward

"The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks. Sky Mavis is in the process of implementing rigorous internal security measures to prevent future attacks."

Thanks To Community For Patience

"The last 8 days have been the hardest stretch of our four-year journey. Thank you for your bravery, kindness, prayers, and words of support. You’ve been a constant source of energy and inspiration for us as we’ve worked tirelessly to resolve the Ronin breach."

Total Amount Recovered

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses."

The total amount recovered has been estimated at $5,800,000 USD.

"Binance, the world's largest cryptocurrency exchange, has recovered nearly $6 million from a North Korean group suspected to be behind a $620 million hack of the popular play-to-earn game Axie Infinity."

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

TBD - What's going on with attempts to recover the funds?

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses."

"The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury. We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."

General Prevention Policies

A proper multi-signature storage has all keys offline and held by separate individuals. To store all funds in a hot wallet setup, with limited independence between the validators is significantly less secure, as was demonstrated here.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue is that the multi-signature wallet was not actually distributed so that keys were held by multiple entities. Instead, enough keys to do the withdrawal were held by a single entity, which was breached.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 Sky Mavis Raises $150M Led By Binance, Funds to be Restored on the Ronin Bridge - The Lunacian (May 21, 2022)
  2. https://etherscan.io/tx/0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7 (May 21, 2022)
  3. https://etherscan.io/tx/0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08 (May 21, 2022)
  4. https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96 (May 21, 2022)
  5. Victims of $600 Million Crypto Heist Will Be Reimbursed: Report (May 21, 2022)
  6. Binance Seizes $5.8 Million From $620 Million Axie Infinity Hack (May 21, 2022)
  7. @cz_binance Twitter (May 21, 2022)
  8. @philrosenn Twitter (May 21, 2022)
  9. Axie Infinity - Wikipedia (May 21, 2022)
  10. https://axieinfinity.com/ (May 21, 2022)
  11. Axie Infinity - Axie Infinity (May 21, 2022)
  12. Trezor Issues Data Breach Warning As Users Cite Phishing Attacks (May 21, 2022)
  13. The LUNA and UST crash — WTF happened? Will they recover? | The Market Report - YouTube (Jun 18, 2022)
  14. The LUNA and UST crash — WTF happened? Will they recover? | The Market Report - YouTube (Jun 20, 2022)
  15. Bored Ape Yacht Club Instagram, Discord Hacked, NFTs Worth $13.7 Million Stolen | Technology News (Jun 20, 2022)
  16. The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30, 2022)
  17. Community Alert: Ronin Validators Compromised - Archive March 29th, 2022 9:31:01 AM MDT (Apr 28, 2023)
  18. 18.0 18.1 18.2 18.3 18.4 18.5 18.6 18.7 18.8 18.9 Community Alert: Ronin Validators Compromised - Ronin Chain Blog (May 21, 2022)
  19. One of the Largest Crypto Hacks Ever Hits Ronin Network - Market Insider (May 21, 2022)
  20. Community Alert: Ronin Validators Compromised - Ronin Chain Blog Archive April 20th, 2023 7:37:35 AM MDT (Apr 23, 2023)
  21. Axie Infinity Hack Shouldn't Discourage Crypto Adoption, Experts Say - Market Insider (May 21, 2022)
  22. A hacker just stole over $600 million in crypto. Experts explain the historic swindle — and why cyberattacks shouldn't discourage adoption of digital assets. - Twitter Events (Apr 4, 2022)
  23. Sky Mavis Raises $150M Led By Binance, Funds to be Restored on the Ronin Bridge - The Lunacian Archive April 6th, 2022 4:08:43 AM MDT (Apr 28, 2023)
  24. 24.0 24.1 North Korea Designation Update | U.S. Department of the Treasury (May 21, 2022)
  25. 25.0 25.1 North Korea Designation Update - US Department of the Treasury Archive April 14th, 2022 9:19:20 AM MDT (Apr 28, 2023)
  26. How North Korea Used Crypto to Hack Its Way Through the Pandemic - The New York Times (Nov 30, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Axie_Infinity_Ronin_Bridge_Unauthorized_Treasury_Access&oldid=4671"