Details of the $620 million theft of Ronin: 5 validator private keys were stolen after users reported the theft 6 days after the incident

Key points:

173,600 ETH and 25.5 million USDC were stolen from the Ronin bridge.

Ronin Bridge and Katana DEX have been discontinued.

We are already working with law enforcement, cryptographers, and investment institutions to ensure that all funds are recovered or repaid. All AXS, RON, and SLP on Ronin are now safe.

Earlier today, Ronin officials discovered that Sky Mavis' Ronin validator node and Axie DAO validator node were stolen on March 23, resulting in 173,600 Ethereum and 25.5 million USDC flowing out of the bridge in two transactions (1 and 2). The attacker used hacked private keys to forge withdrawals. Ronin discovered the attack this morning after a user reported being unable to withdraw 5,000 ETH from the bridge.

Attack Details

Sky Mavis' Ronin chain currently consists of nine validator nodes. In order to identify a deposit event or a withdrawal event, five of the nine validator signatures are required. The attacker managed to take control of Sky Mavis' four Ronin validators and a third-party validator run by AxieDAO.

The validator key scheme is set up to be decentralized in order to limit attacks similar to this, but the attacker found a backdoor through our gasless RPC node, which they abused to obtain signatures from the Axie DAO validator.

This dates back to November 2021, when Sky Mavis asked Axie DAO for help in distributing free transactions due to the huge user load. Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This stopped in December 2021, but the allowlist access was not revoked.

Once the attacker has access to the Sky Mavis system, they can use Gasless RPC to obtain signatures from Axie DAO validators.

Ronin has confirmed that the signatures in the malicious withdrawals matched five suspected validators.

Actions taken

1. As soon as the incident was exposed, Ronin acted quickly and took proactive measures to prevent future attacks. In order to prevent further short-term damage, the validator threshold has been increased from 5 to 8.

2. Ronin is in contact with the security teams of major exchanges and will get back to everyone in the coming days.

3. Ronin is migrating its nodes so that they are completely separated from the old infrastructure.

4. Temporarily suspended the Ronin bridge to ensure no more attack vectors remain open. Binance has also disabled their bridge to and from Ronin to exercise caution. The bridge will be opened at a later date once we are certain that the funds cannot be drained.

5. Due to the inability to arbitrage and deposit more funds into Ronin Network, Ronin temporarily disabled Katana DEX.

6.Ronin is working with Chainalysis to monitor stolen funds.

Next steps

Ronin is working directly with various government agencies to ensure that the criminals are brought to justice.

Ronin is in discussions with Axie Infinity/Sky Mavis stakeholders on how to best move forward and ensure no user funds are lost.

Sky Mavis is here for the long haul and will continue to build.

Media and Community Q&A

Why is the validator threshold only five?

Initially, Sky Mavis chose a threshold of five out of nine because some nodes did not catch up with the chain, or were stuck in sync. In the future, the threshold will be eight out of nine. We will expand the validator set over time on an accelerated schedule.

Where is the money now?

Most of the hacked funds are still in the hacker’s wallet: https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96

How did this happen?

We are conducting a thorough investigation.

Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO.

The validator key scheme is set up to be decentralized in order to limit attacks like this, but the attackers found a backdoor through our Gasless RPC node, which they abused to obtain signatures from Axie DAO validators.

This dates back to November 2021, when Axie DAO validators were allowed to distribute free transactions. This was discontinued in December 2021, but Axie DAO validator IPs remain on the allowlist.

Once the attacker has access to the Sky Mavis system, they can use Gasless RPC to obtain signatures from Axie DAO validators.

We have confirmed that the signatures in the malicious withdrawals match the five suspected validators.

Is Ronin safe for me?

As we have seen, Ronin is not immune to theft, and this attack highlights the importance of prioritizing security, remaining vigilant, and mitigating all threats. We understand the need to earn trust and are using all the resources at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.

Why are we only getting notified now?

The security breach was discovered by the Sky Mavis team on March 29 following reports that users were unable to withdraw 5,000 ETH from the bridge.

Are Ronin’s funds at risk?

ETH and USDC deposits on Ronin have been deducted from the bridge contract. We are working with law enforcement, forensic cryptographers, and investors to ensure that user funds are not lost. This is our top priority right now.

All AXS, RON, and SLP on the Ronin are now secure.

What does this mean for users with funds on the Ronin Network?

Until now, users have been unable to withdraw funds or deposit into the Ronin Network. Sky Mavis is committed to ensuring that all depleted funds are recovered or repaid.