Decentralized Finance (DeFi) networks are becoming an increasingly major concern for cybercriminals due to their various inherent vulnerabilities. This phenomenon is once again shown by a breach of the Ronin network, where perpetrators are attacking the bridge between the Ronin network and the popular NFT game “Axie Infinity”.
Everyone said they made $ 625 million worth of money on Ethereum and other coins, making it one of the biggest DeFi thefts to date.
Permission for NFT games abused to steal Ethereum
The breach was confirmed on March 29 by Sky Mavis, an operator of Axie Infinity. The group states that investigations are underway, but there are signs that it is the result of social engineering rather than code vulnerabilities. They also said they were convinced that it was an external attack without the involvement of insiders. The Ronin Bridge and associated KatanaDex decentralized exchange have been temporarily suspended due to investigations. During this time, transactions on the Ronin network were also stopped.
The Ronin network is said to have been hit by 173,600 Ethereum and US $ 25.5 million coins (USDC). This is a coin fixed in US dollars. Sky Mavis states that most of the money is still in the hacker’s wallet and efforts are underway to retrieve them. In such cases, it usually contacts hackers, returns stolen money, and offers millions of dollars of “rewards” for spinning everything as a kind of “security demonstration”. That means, Sky Mavis says they are actively working with law enforcement agencies. This group is also involved in Chainalysis, a chain security tracking company.
Axie Infinity is an NFT game that was released in 2018 and has exploded in popularity in recent months, with initial sales of these types of games exceeding $ 4 billion. The game is more or less like Pokemon, where users buy NFT-linked creatures (usually starting at around $ 25) to participate in training and combat with other players. Prior to the breach, the game was considered one of the biggest success stories in the cryptocurrency world.
The exploited vulnerability was essentially a proven classic that plagues workplaces everywhere. Some older SkyMavis accounts with dangerous permission levels weren’t deactivated and floated waiting to be hijacked by enterprising hackers. In this case, the NFT game saw the largest new user surge ever, and included a set of administrative accounts created in November 2021 to temporarily handle the workload. The account was no longer used as of December 2021, but was never deactivated.
Ronin network’s own “verification node” system exploited in the attack
Major blockchains like Bitcoin and Ethereum tend to be protected by the “Proof of Work” system, which has been the standard since Bitcoin debuted in the late 2000s. The Ronin network uses an alternative called the “Proof of Stake” that requires less energy, but relies on validator nodes to keep the system safe. An attacker could use an account stolen from an NFT game to hijack 5 of the 9 nodes and use the private key to approve a fake transaction. Four of the validators are run by the Ronin network and the fifth (creating the required majority) belongs to the NFT game operator.
Chris Clements, Vice President of Solution Architecture at Cerberus Sentinel, explains the difference between the “proven” name of cryptocurrencies and the more experimental newcomers to DeFi. Blockchain technologies like Bitcoin and Ethereum have so far proven to be resistant to direct attacks. Third parties like entities and exchanges built on these technologies are often not near the security that supports the blockchain itself and are cybercriminals. Even in these situations, many perverse incentives are working. First, there are developers competing to enable a more convenient way to manage or trade cryptocurrencies. This speed can lead to mistakes and oversights that expose customers to the losses of cyberattacks. Second, the large amount of money involved is astronomical. These platforms and services often accommodate or process millions of dollars in coin value. This is a very powerful incentive for the smartest hackers on the planet to seek out and target potential surveillance and vulnerabilities that could lead to unimaginable wealth if successfully exploited. Finally, if you realize that the developer or platform operator himself has the key to managing huge amounts of money, as this is a market hurt by fraud from almost every possible source. , Can itself be a perpetrator. attack. “
Part of the appeal of decentralized finance to consumers is the complete lack of government regulation and involvement, which also makes it difficult to examine the details of such attacks. And those who have lost Ethereum are unlikely to recover Ethereum, except that the Ronin Network chooses to mediate transactions with hackers to return Ethereum or cover the losses of patrons. ..
The Axie NFT game will probably roll on given the amount of interest the player has, but is temporarily suspended because new players can’t register and existing players can’t exchange virtual creatures. Since the game itself has not been robbed of money, it can increase the confidence of players who invest hundreds of thousands of dollars in the game. The average price of entry-level Axie has risen to nearly $ 100, with players spending $ 820,000 on individual creatures.
Another controversial aspect of the case is Cryptographic trader Security researchers also seemed to realize that the NFT game was compromised long before the Ronin network was compromised, and instead of disclosing this information, they chose to occupy a short position in the transaction.