Community Alert: Ronin Validators Compromised

6/28/22 00:19am PST This post has been updated with additional Key Points.

6/23/22 08:37am PST This post has been updated with additional Key Points.

6/21/22 08:54am PST This post has been updated with additional Key Points.

5/26/22 23:54pm PST This post has been updated with additional Key Points.

4/14/22 10:00am PST This post has been updated with additional Key Points.

4/6/22 03:12am PST This post has been updated with additional Key Points.

4/2/22 1:00am PST This post has been updated with additional Key Points.

3/31/22 12:03pm PST This post has been updated with additional Key Points.

3/30/22 11:28am PST This post has been updated with additional Key Points.

6/28/22 Updated Key Points

• The Ronin hard-fork which required all validators to update their software has been successful.

• The Ronin Bridge is still on track to be opened today.

6/23/22 Updated Key Points

• We plan on re-opening the Ronin Bridge on June 28th, with all user funds returned.

• The Bridge opening is contingent on a Ronin hard-fork which requires all validators to update their software. 

• Validators have been informed regarding next steps to upgrade their validating node.

• Non-validators need to follow these instructions:

• Upgrading a non-validating node:

  • https://docs.roninchain.com/docs/developer-guide/upgrade-ronin-node

• Setting up a new non-validating node:

  • https://docs.roninchain.com/docs/developer-guide/running-non-validating-node

• The latest snapshot for non-validating nodes will always be available here:

  • https://docs.roninchain.com/docs/developer-guide/running-non-validating-node#start-node-from-a-snapshot

6/21/22 Updated Key Points

• We are happy to report that the Certik audit came back with minor suggestions.

• We are implementing Certik’s improvement recommendations and will begin to deploy the Governance Smart Contract.

• The Ronin Bridge is still on track for a re-opening this month.

5/26/22 Updated Key Points

Audit and Bridge Reopening Updates

Last month we published our Security Roadmap that laid out the steps we are taking to bolster Ronin’s security now and in the future. Part of that roadmap included audits of Ronin and the Ronin bridge specifically. 

We are pleased to announce that we have successfully conducted and passed two audits for the Ronin Bridge. One internal audit and one external audit, led by Verichains. However, in order to become the gold standard when it comes to security, we are in the process of a second external audit led by Certik. This audit is expected to take 15 days. If that audit comes back clean, we will be able to reopen the bridge in the middle of June. 

We thank you for your patience and support.

4/14/22 Updated Key Points

• Today, the FBI attributed North Korea based Lazarus Group to the Ronin Validator Security Breach.

• The US Government, specifically the Treasury Department, has sanctioned the address that received the stolen funds.  

• We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month. Security comes first. The timeline is subject to change based on the implementation time of several security measures.

• We would like to extend a thank you to all law enforcement agencies who have supported us in this ongoing investigation. 

• We expect to deliver a full post mortem that will detail security measures put in place and next steps by the end of the month. 

• Security remains our top priority, and we look forward to sharing our learnings with our community and the broader ecosystem. We thank you for your patience.

4/6/22 Updated Key Points

• Today Sky Mavis announced a 150 million USD funding round led by Binance with participation from Animoca Brands, a16z, Dialectic, Paradigm

• The round combined with Sky Mavis and Axie balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed 

• The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks

• Sky Mavis is in the process of implementing rigorous internal security measures to prevent future attacks

4/2/22 Updated Key Points

• We are happy to report that Binance has resumed withdrawals for Axie Infinity Shards (AXS) and Smooth Love Potion (SLP). We appreciate the ongoing support and trust from the Binance team during this process. 

• Withdrawals of Wrapped Ether (WETH) on the Ethereum network, and the convert function from WETH to ETH remain closed in the interim. A dedicated monitoring team from Binance continues to track any unusual transactions.

• Ronin Bridge will be reopened, but the exact timeline is still being determined and is dependent on security audits and updates to the bridge. 

• Ronin Network itself remains secure.

3/31/22 Updated Key Points

• The investigation continues, and at this stage, we cannot share more substantial information. We have had various calls with key stakeholders, law enforcement agencies, and major exchanges.

• Today we replaced all of the former Sky Mavis validators.

• We are pushing our plan to add new validators to Ronin in the coming weeks. This will be a key step in bolstering the security of the network. The root cause of our attack was the small validator set which made it much easier to compromise the network.

3/30/22 Updated Key Points

• We are in the process of conducting a thorough investigation; working with Chainalysis to monitor the stolen funds and Crowdstrike to handle forensics and the setup of surveillance tools.

• While the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.

• We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action.

• We will continue to provide updates in this newsletter as the investigation continues.

Original article – posted 3/29/2022 8:29am PST

Key Points

• The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC.

• The Ronin bridge and Katana Dex have been halted.

• We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.

There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge. 

Details About The Attack

Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. 

The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. 

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. 

We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.

Actions Taken

1. We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight.

2. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. 

3. We are in the process of migrating our nodes, which is completely separated from our old infrastructure.

4. We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained. 

5. We have temporarily disabled Katana DEX to due to the inability to arbitrage and deposit more funds to Ronin Network. 

6. We are working with Chainalysis to monitor the stolen funds. 

Next Steps 

We are working directly with various government agencies to ensure the criminals get brought to justice. 

We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost. 

Sky Mavis is here for the long term and will continue to build. 

Q&A for Media and Community

• Why was the validator threshold only five?

Originally, Sky Mavis chose the five out of nine threshold as some nodes didn’t catch up with the chain, or were stuck in syncing state. Moving forward, the threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline.

• Where are the funds now? 

Most of the hacked funds are still in the hacker’s wallet: https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96

• How did this happen?

We are in the process of conducting a thorough investigation. 

Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO.

The validator key scheme is set up to be decentralized so that it limits an attack vector such as this, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when the Axie DAO validator was allowlisted to distribute free transactions. This was discontinued in December 2021, but the Axie DAO validator IP was still on the allowlist. 

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. 

We have confirmed that the signature in the malicious withdrawals matches up with the five suspected validators.

• Is Ronin safe for me to use?

As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks. 

• Why are we being notified about the breach now? 

The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge.

• Are funds on Ronin are at risk?

ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now.

All of the AXS, RON, and SLP on Ronin are safe right now.

• What does this mean for users who have funds on Ronin Network?

As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed.