Axie Infinity Ronin Bridge Unauthorized Treasury Access

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Axie Infinity

Axie Infinity is a play-to-earn game with $4b in NFT sales. Rather than set up a proper multi-signature wallet, the keys were split between a small number of validators, and additional access was available for someone who no longer needed it. A hacker managed to breach a single entity who held 5 of the 9 keys, and made off with $625m worth of Ethereum and USDC.

About Axie Infinity

[1][2][3]


"Axie Infinity is a NFT-based online video game developed by Vietnamese studio Sky Mavis, which uses Ethereum-based cryptocurrency AXS (Axie Infinity Shards) and SLP (Smooth Love Potion)." The "Axie Infinity game universe filled with fascinating creatures, Axies, that players can collect as pets. Players aim to battle, breed, collect, raise, and build kingdoms for their Axies. The universe has a player-owned economy where players can truly own, buy, sell, and trade resources they earn in the game through skilled-gameplay and contributions to the ecosystem."

"There are and will be many varied games experiences for Axies. Many of them will have players compete with each other using complex strategies and tactics to attain top rankings or be rewarded with coveted resources. Others will have them complete quests, defeat bosses, and unlock in-depth storylines."

"Ronin is a blockchain protocol linked to Axie Infinity, a popular play-to-earn game with $4 billion in NFT sales that sees over 2.8 million players logging on each day."

"The developer behind @AxieInfinity built a "side chain" (the @Ronin_Network)." "The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed."


"The attacker used hacked private keys in order to forge fake withdrawals."

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed."

A series of analysis Tweets are published by blockchain researcher Phil Rosen. Twitter later publishes a special feature event timeline[4][5]. Experts have commented on the recent $600 million crypto swindle that targeted Axie Infinity's Ronin Network[4]. They stated that the incident was not a fault of the blockchain itself but rather a cybersecurity failure[4]. They emphasized the need to focus on building a trust layer in the crypto economy by implementing anti-money laundering infrastructure, compliance controls, and cybersecurity measures[4]. Suggestions for solutions included funding for additional intelligence tools, robust cybersecurity networks, and educational outreach[4]. The experts highlighted the importance of creating a secure environment for people to interact with the new online financial system[4].

The Reality

While Axie Infinity used a multi-signature wallet to control access to the treasury, which is one of the most secure setups possible, this was not a real multi-signature wallet. It was not an effective multi-signature approach due to being incorrectly set up.

Four Keys By One Holder

A single entity named Sky Mavis held four of the five necessary keys to sign a transaction. This meant that only two signatories were necessary. It would allow Sky Mavis to have a transaction passed by stealing or coercing one other key from any of the other signatories. It also meant that an adversary only needed to breach Sky Mavis and one other key holder to steal the funds.

Inactive User Retaining Access

Sky Mavis was also inactive, having not needed the access since December 2021. The allowlist remained active long after. Inactive users pose an additional risk. It may even be higher than a standard user since they are unlikely to practice the same security diligence as active users, and could easily reuse credentials.

Gas-Free RPS Node Backdoor

Rather than having keys held by human beings, one of the keys was under the controls of the Axie DAO software. This unfortunately contained a vulnerable validator key scheme, which enabled a backdoor that could be used to get a signature. Software can often contain vulnerabilities and generally lacks the ability to think critically before signing a transaction. This was not an effective participant in the multi-signature scheme and only gave a false sense of security.

What Happened

Due to an insecure multi-signature wallet, an attacker was able to withdraw 173,600 ETH and 25,500,000 USDC from the Axie Infinity: Ronin Bridge treasury. A week later the protocol discovered the theft and started to plan a reimbursement.

Key Event Timeline - Axie Infinity Ronin Bridge Unauthorized Treasury Access
Date Event Description
March 23rd, 2022 7:29:09 AM MDT Theft Of Ethereum From Ronin Bridge The attackers transfer 173,600 ETH from the Axie Infinity: Ronin Bridge to their personal wallet[6].
March 23rd, 2022 7:31:04 AM MDT Theft Of USDC From Ronin Bridge The attackers transfer 25,500,000 USDC from the Axie Infinity: Ronin Bridge to their personal wallet[7].
March 29th, 2022 10:29:00 AM MDT Community Alert Posted The Ronin Chain publishes a community alert[8]. They report that Ronin Network has been hit by a security breach that compromised Ronin validators, leading to a theft of 173,600 Ethereum and $25.5m in USDC. The attacker used hacked private keys to forge fake withdrawals, taking advantage of a backdoor in the network's gas-free RPC node to obtain the signature from the Axie DAO validator. After discovering the attack, Ronin halted the Ronin bridge and Katana DEX and is working to recover or reimburse all funds, as well as collaborate with law enforcement officials and forensic cryptographers. Deposits of AXS, RON, and SLP on Ronin are still safe. The company is also increasing the validator threshold from five to eight to prevent future attacks. They reportedly became aware of the exploit that same day after a user reported that they were unable to withdraw 5,000 ethereum from the vault[9]. TBD revisit and follow any links in this post which weren't viewed yet.
March 29th, 2022 12:41:00 PM MDT Market Insider Article on Breach Market Insider publishes an article about the exploit. Market Insider reports that a hacker targeted Axie Infinity's Ronin Network, stealing $625 million worth of ether and USDC. The network is reported to have halted transactions on its Ronin Bridge and Katana Dex servers, and is working to recover or reimburse the stolen funds in collaboration with law enforcement officials, forensic cryptographers, and investors. The hack took place the previous Wednesday, with the attacker using hacked private keys to forge fake withdrawals. The native token of the Ronin network, RON, has fallen by 22% following the incident[10].
March 30th, 2022 1:28:00 PM MDT Community Alert Updated Axie Infinity updates their community to indicate they are continuing their investigations. They mention they are working with both Chainalysis to monitor the stolen funds and Crowdstrike to handle forensics and the setup of surveillance tools. They are certain that the attack was an external breach, and "[a]ll evidence points to this attack being socially engineered, rather than a technical flaw". They are "committed to ensuring that all of the drained funds are recovered or reimbursed" though they don't mention any plan and are presently just "continuing conversations". They will "continue to provide updates"[9].
March 30th, 2022 9:53:00 AM MDT Reports Of Reimbursement Market Insider reports that Axie Infinity's owner, Sky Mavis, has pledged to reimburse users who lost tokens in the recent $600 million hack. The company is actively working on a solution and is committed to reimbursing affected players as soon as possible. The hack targeted the Ronin Network, which operates as a bridge for the Axie Infinity game, compromising the network and resulting in the theft of 173,600 ether and 25.5 million USDC stablecoins. Sky Mavis is collaborating with law enforcement, forensic cryptographers, and investors to recover or reimburse the stolen funds. The attack occurred on March 23, but the company only discovered it on Tuesday. Axie Infinity, a popular play-to-earn game, continues to attract users despite the incident. The hack exploited a vulnerability in the bridge mechanism, draining funds in two separate transactions. Sky Mavis is exploring alternative options to restore the value of the affected tokens. The native token of the Ronin blockchain, RON, experienced a 20% decline in value following the attack[11].
March 31st, 2022 2:03:00 PM MDT Community Alert Updated Axie Infinity updates to indicate that they are continuing their investigation and don't have any more substantial information to share. They have had "various calls" with key stakeholders, law enforcement agencies, and major exchanges. All of the former Sky Mavis validators have been replaced. They are pushing forward a plan to add new validators to the Ronin Network in the coming weeks[9].
April 2nd, 2022 3:00:00 AM MDT Community Alert Updated Axie Infinity announces that Binance has resumed withdrawals for both Axie Infinity Shards (AXS) and Smooth Love Potion (SLP) from their exchange. Wrapped Ether transactions remain closed. The Ronin Bridge will be reopened, but a timeline is not known at this time[9][12].
April 2nd, 2022 8:03:00 AM MDT Market Insider Article Published Market Insider publishes an article about the exploit, and that it shouldn't stop adoption[13]. TBD expand with more details.
April 2nd, 2022 8:21:00 AM MDT Phil Rosen Twitter Timeline Published A series of analysis Tweets are published by blockchain researcher Phil Rosen. Twitter later publishes a special feature event timeline[4][5]. Experts have commented on the recent $600 million crypto swindle that targeted Axie Infinity's Ronin Network. They stated that the incident was not a fault of the blockchain itself but rather a cybersecurity failure. They emphasized the need to focus on building a trust layer in the crypto economy by implementing anti-money laundering infrastructure, compliance controls, and cybersecurity measures. Suggestions for solutions included funding for additional intelligence tools, robust cybersecurity networks, and educational outreach. The experts highlighted the importance of creating a secure environment for people to interact with the new online financial system.
April 6th, 2022 4:01:43 AM MDT Funds Raised For Recovery Sky Mavis, the company behind Axie Infinity, announces they have raised $150 million in a funding round led by Binance. Other participants in the round included Animoca Brands, a16z, Dialectic, Paradigm, and Accel. The funds will be used to reimburse users who were affected by the Ronin Validator Hack, in which 173,600 Ethereum and 25.5 million USDC were drained from the Ronin bridge. The Ronin Network bridge will open again once it has undergone a security upgrade and several audits, which may take several weeks. Sky Mavis will increase its validator group to 21 validators within the next three months, which will be a mix of partners, community members, and long-term allies[14][15]. TBD analyze change from "people" to "unique addresses" in post.
April 6th, 2022 5:12:00 AM MDT Community Alert Updated Information about the funding round is also posted on the official community alert[9].
April 14th, 2022 9:19:20 AM MDT OFAC Publishes Sanction Notice The United States Office of Foreign Assets Control publishes an official sanction of the Ethereum blockchain address 0x098B716B8Aaf21512996dC57EB0615e2383E2f96, informing that the address has been added to the OFAC SDN list. They include various aliases for the Lazarus Group including "Appleworm," "APT-C-26," and "Hidden Cobra," among others. The group is located in the Potonggang District of Pyongyang, North Korea. The statement notes that there is a secondary sanctions risk under the North Korea Sanctions Regulations, sections 510.201 and 510.210, and that transactions with the group are prohibited for persons owned or controlled by U.S. financial institutions under section 510.214 [DPRK3][16][17].
April 14th, 2022 12:00:00 PM MDT Community Alert Updated The Ronin Chain provides an update to their community. They state the FBI has now attributed the attack to the Lazarus Group, based in North Korea, and that the address receiving the stolen ethereum has now been sanctioned by the US government. They promise to deliver a full post-mortem with details of security implementations by the end of the month[9].
April 22nd, 2022 12:10:00 AM MDT Binance Freezes Funds Binance CEO Changepeng Zhao reports that the attackers "started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered."[18] The news is shared by multiple news outlets including Business Insider[19].
April 26th, 2022 2:22:46 AM MDT Gadgets360 Article Mention The incident is briefly mentioned in a Gadget360 article on the Bored Ape Yacht Club instagram hack[20]. "In March, Axie Infinity's Ronin blockchain developed by Sky Mavis was exploited for $625 million (roughly Rs. 4,729 crore)."
May 11th, 2022 11:05:32 AM MDT CoinTelegraph Video Mention The hack is mentioned in a CoinTelegraph video stream about Luna/UST crashing. "I want to remind everyone that even if you got here like six months ago you probably remember the Axie Infinity, the running Bridge hack which they lost over 600 million dollars on that day. The game is still there. The platform is still working. Yes, there was a bug. It was a hack. They lost a lot a ton of money. But the system still works. The users still see some value on that and it's still working. Crypto is under development, especially DeFi applications. They're being being built as we use them. So yes, there will be some mistakes, there will be some errors, but the system continues. This token does not disappear from one day to another."[21]
May 27th, 2022 1:54:00 AM MDT Community Alert Updated The Ronin Chain provides an update to their community. They state that they've completed an audit by the external firm Verichains, as well as an "internal" audit they conducted themselves. They are also in the process of getting an external audit from CertiK which they expect will take 15 days[9].
June 21st, 2022 10:54:00 AM MDT Community Alert Updated The Ronin Chain publishes an update to their community. They state that the CertiK audit is now completed and came back with only minor suggestions. They will be implementing the suggestions and are still on track to relaunch in the same month[9].
June 23rd, 2022 10:37:00 AM MDT Community Alert Updated The Ronin Chain published an update to their community. The post included a plan to reopen the Ronin Bridge on June 28th with all user funds returned. This includes a software update to the validation system. Validators are reportedly already instructed on how to upgrade, and non-validators are provided instructions to upgrade[9].
June 28th, 2022 2:19:00 AM MDT Community Alert Updated The Ronin Chain published an update to their community. They report that the Ronin hard-fork which required all validators to update their software has been successful and the Ronin Bridge is still on track to be opened today[9].
June 30th, 2022 3:00:16 AM MDT New York Times Article The Axie Infinity hack is included in a New York times article titled "How North Korea Used Crypto to Hack Its Way Through the Pandemic", which discusses how North Korea has turned to cryptocurrency theft as a means of generating income and evading sanctions. The article specifically mentions the theft of $620 million in cryptocurrency from the video game Axie Infinity as a significant event that highlights the lucrative and relatively risk-free nature of cryptocurrency heists for North Korea. The article explains that North Korea, facing severe economic challenges due to UN sanctions and the COVID-19 pandemic, has resorted to trafficking weapons, illegal drugs, and counterfeit currency, as well as conducting cyberattacks to disrupt websites and steal from corporations and banks. The case of the Axie Infinity hack demonstrates North Korean hackers targeteinga popular blockchain-based video game where players could accumulate cryptocurrency by playing. The hackers used phishing attacks and other tactics to breach the game's security. The article suggests that this theft provided strong evidence of the growing trend of cryptocurrency heists as a means for North Korea to finance weapons development[22].
September 28th, 2022 3:00:37 AM MDT New York Times String of Hacks A New York Times article discusses the recent string of hacks in the cryptocurrency industry, which has resulted in the theft of over $2 billion in digital currency this year[23]. These hacks have targeted decentralized finance (DeFi) projects, which allow users to engage in financial transactions without intermediaries like banks or brokers[23]. DeFi ventures rely on smart contracts, which are computer programs that execute transactions automatically[23]. However, flaws in the design and code of these smart contracts have made them vulnerable to attacks by hackers[23]. The article mentions the Axie Infinity bridge hack, where a hacker exploited vulnerabilities in a cross-chain bridge technology to steal $320 million[23]. These hacks have reportedly raised concerns about the security and stability of DeFi and have prompted DeFi startups to take preventive measures and strengthen security protocols[23].

Technical Details

TBD


[6][7][24]


"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed."

"The developer behind @AxieInfinity built a "side chain" (the @Ronin_Network)." "The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed."


"The hacker took over four of Sky Mavis' validator nodes and one from Axie DAO, enabling access to the crypto and eventually the massive theft. Sky Mavis said it has since replaced all of its validators and is working to reimburse the stolen funds."

"Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO." "Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators."

Total Amount Lost

Funds stolen in the crypto hack include "deposits of players and speculators and the Axie Infinity Treasury revenue," Larsen said. "The heist, which wasn't detected until almost a week after it occurred, is believed to be one of the biggest in the history of crypto and highlights the sector's immense risks."


"Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC." "There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals." "The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."

The total amount lost has been estimated at $625,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

"The easiest way to look at this is like the bridge is the bank for the Ronin Network," Larsen said. "The heist that happened took out all the ETH and USDC. So the ETH/USDC on Ronin Network is not currently backed by anything. But we are looking at other options."

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC." "There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals." "The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."


"We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. We are in the process of migrating our nodes, which is completely separated from our old infrastructure."

"We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained."


"We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed," Ronin Network wrote. "The attacker used hacked private keys in order to forge fake withdrawals."

"Max Galka, CEO of crypto forensics firm Elementus, pointed to the lapsed DAO deal as a major oversight, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains." "The hacker exploited a key oversight here to drain millions in tokens, said @galka_max, CEO of @elementus_io. (@BusinessInsider)" "@galka_max pointed to the lapsed DAO deal as a major mistake, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains. (@BusinessInsider, @MktsInsider)" "They never removed what was meant to be a temporary measure. It was an outright error," he told Insider.

"It was pure human error," @amber_ghaddar said. "If consumers aren't protected from things like this, the industry is going to fail," she said. (@BusinessInsider)"

"It's a cybersecurity issue, not a cryptocurrency issue," @ARedbord said. "The government is calling for crypto regulation, but really what would help is a hardening of cyberdefenses, rather than focusing on crypto." (@BusinessInsider)

"Solutions could include funding for additional intelligence tools as well as more robust and pervasive cybersecurity networks, @trmlabs said. @amber_ghaddar added that educational outreach could be beneficial too. (@BusinessInsider)"

"We need to focus on building out a trust layer in the crypto economy—anti-money laundering infrastructure, compliance controls, cybersecurity—so that people will interact with this new online financial system," @ARedbord said.

Ultimate Outcome

The wallet with the stolen Ethereum was placed on the OFAC sanction list.

Binance Funds Recovered

[19][18]

"The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered," he wrote, referring to the Democratic People's Republic of Korea.

OFAC Sanction Notice

On April 14th, 2022, The US Department of the Treasury updated their SDN to include the wallet address with the stolen Ethereum from this attack. They issued a statement informing that changes have been made to OFAC's SDN List (a list of people and entities that are sanctioned by the US government). Specifically, the entry for the Lazarus Group has been updated to include the digital currency address, ETH 0x098B716B8Aaf21512996dC57EB0615e2383E2f96. The Lazarus Group is also known by various aliases, including "Appleworm," "APT-C-26," and "Hidden Cobra," among others. The group is located in the Potonggang District of Pyongyang, North Korea. The statement notes that there is a secondary sanctions risk under the North Korea Sanctions Regulations, sections 510.201 and 510.210, and that transactions with the group are prohibited for persons owned or controlled by U.S. financial institutions under section 510.214 [DPRK3][16][17].

Raising Funds For Reimbursement

"Sky Mavis announced a 150 million USD funding round led by Binance with participation from Animoca Brands, a16z, Dialectic, Paradigm. The round combined with Sky Mavis and Axie balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed."

Resumption of Withdrawals

"Binance has resumed withdrawals for Axie Infinity Shards (AXS) and Smooth Love Potion (SLP)."

Increasing Strength of Multi-Sig Wallet

"Moving forward, the [multisig] threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline."

Additional Auditing Going Forward

"The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks. Sky Mavis is in the process of implementing rigorous internal security measures to prevent future attacks."

Thanks To Community For Patience

"The last 8 days have been the hardest stretch of our four-year journey. Thank you for your bravery, kindness, prayers, and words of support. You’ve been a constant source of energy and inspiration for us as we’ve worked tirelessly to resolve the Ronin breach."

Total Amount Recovered

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses."

The total amount recovered has been estimated at $5,800,000 USD.

"Binance, the world's largest cryptocurrency exchange, has recovered nearly $6 million from a North Korean group suspected to be behind a $620 million hack of the popular play-to-earn game Axie Infinity."

Sky Mavis, has pledged to reimburse users who lost tokens in the recent $600 million hack. The company is actively working on a solution and is committed to reimbursing affected players as soon as possible. The hack targeted the Ronin Network, which operates as a bridge for the Axie Infinity game, compromising the network and resulting in the theft of 173,600 ether and 25.5 million USDC stablecoins. Sky Mavis is collaborating with law enforcement, forensic cryptographers, and investors to recover or reimburse the stolen funds. The attack occurred on March 23, but the company only discovered it on Tuesday. Axie Infinity, a popular play-to-earn game, continues to attract users despite the incident. The hack exploited a vulnerability in the bridge mechanism, draining funds in two separate transactions. Sky Mavis is exploring alternative options to restore the value of the affected tokens. The native token of the Ronin blockchain, RON, experienced a 20% decline in value following the attack[11].

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

TBD - What's going on with attempts to recover the funds?

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses."

"The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury. We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."

Individual Prevention Policies

When it comes to users protecting themselves on the blockchain, special care is needed any time funds are not held in your own wallet. Users must avoid or exercise an extreme level of diligence when depending on any third party.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

A proper multi-signature storage has all keys offline and held by separate human individuals, which means that multiple human beings must be simultaneously breached to obtain access to the funds. While Axie Infinity did set up a multi-signature wallet, this failed because the multi-signature wallet was not actually distributed so that keys were held by multiple human beings. Instead, four of the five keys required to do the withdrawal were held by a single (inactive) organization, and one of the keys was held by an automated software system. When multiple keys are held by the same entity or secured in the same manner, it circumvents the benefits of the multi-signature wallet. Keys need to be stored offline and managed by humans with critical thinking to effectively detect suspicious transactions.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

In the event of a failure, it is important to have funds ready to make users whole. While Axie Infinity was able to raise a large amount of capital from investors, they could have already had a portion of funds aside in an offline multi-signature treasury. Another option which reduces the capital requirements would be to pool together insurance funds into an industry insurance fund, that can have more funds available for multiple platforms.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

A proper third party assessment of the wallet would have most likely uncovered the vulnerabilities including having 4 of 9 keys held by a single entity, that the single entity was inactive and not securing their keys properly, and that another key was held by an automated system with a vulnerability instead of a human being. Detecting and correcting any one of these would have prevented the breach of funds entirely.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

While securing and preventing the issue is ideal, it is also a good idea to have an industry insurance fund available to assist victims. This would reduce the requirements on platforms to maintain their own treasuries for this purpose, the reliance on funds having to be raised from investors, or the risk that users may be left severely damaged through an attack or exploit.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Axie Infinity - Wikipedia (May 21, 2022)
  2. https://axieinfinity.com/ (May 21, 2022)
  3. Axie Infinity - Axie Infinity (May 21, 2022)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 Phil Rosen - "A hacker just stole $625 million(!) in crypto from @AxieInfinity. 3 experts broke down the historic swindle—and why cyberattacks shouldn't discourage adoption of digital assets." - Twitter (May 21, 2022)
  5. 5.0 5.1 A hacker just stole over $600 million in crypto. Experts explain the historic swindle — and why cyberattacks shouldn't discourage adoption of digital assets. - Twitter Events (Apr 4, 2022)
  6. 6.0 6.1 Transfer of 173,600 ETH From Axie Infinity Ronin Bridge - Etherscan (May 21, 2022)
  7. 7.0 7.1 Transfer of 25,500,000 USDC - Etherscan (May 21, 2022)
  8. Community Alert: Ronin Validators Compromised - Archive March 29th, 2022 9:31:01 AM MDT (Apr 28, 2023)
  9. 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 Community Alert: Ronin Validators Compromised - Ronin Chain Blog (May 21, 2022)
  10. One of the Largest Crypto Hacks Ever Hits Ronin Network - Market Insider (May 21, 2022)
  11. 11.0 11.1 Victims of $600 Million Crypto Heist Will Be Reimbursed: Report - Market Insider (May 21, 2022)
  12. Community Alert: Ronin Validators Compromised - Ronin Chain Blog Archive April 20th, 2023 7:37:35 AM MDT (Apr 23, 2023)
  13. Axie Infinity Hack Shouldn't Discourage Crypto Adoption, Experts Say - Market Insider (May 21, 2022)
  14. Sky Mavis Raises $150M Led By Binance, Funds to be Restored on the Ronin Bridge - The Lunacian (May 21, 2022)
  15. Sky Mavis Raises $150M Led By Binance, Funds to be Restored on the Ronin Bridge - The Lunacian Archive April 6th, 2022 4:08:43 AM MDT (Apr 28, 2023)
  16. 16.0 16.1 North Korea Designation Update | U.S. Department of the Treasury (May 21, 2022)
  17. 17.0 17.1 North Korea Designation Update - US Department of the Treasury Archive April 14th, 2022 9:19:20 AM MDT (Apr 28, 2023)
  18. 18.0 18.1 Changpeng Zhao (Binance) - "The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered. We done this many times for other projects in the past too. Stay #SAFU." - Twitter (May 21, 2022)
  19. 19.0 19.1 Binance Seizes $5.8 Million From $620 Million Axie Infinity Hack - Business Insider (May 21, 2022)
  20. Bored Ape Yacht Club Instagram, Discord Hacked, NFTs Worth $13.7 Million Stolen - Technology News (Jun 20, 2022)
  21. The LUNA and UST crash — WTF happened? Will they recover? | The Market Report - YouTube (Jun 18, 2022)
  22. How North Korea Used Crypto to Hack Its Way Through the Pandemic - The New York Times (Nov 30, 2022)
  23. 23.0 23.1 23.2 23.3 23.4 23.5 The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30, 2022)
  24. Ronin Bridge Exploiter - Etherscan (May 21, 2022)

Cite error: <ref> tag with name "yahoofinance-7725" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "youtube-8054" defined in <references> is not used in prior text.