Placing Cross-Chain Bridge Safety Under the Microscope: The Controversial Axie Infinity’s Ronin $620 Million Hack

1. On March 29, Ronin, the special side chain of the largest chain game Axie Infinity, announced that it had been attacked, with a loss value of $616 million, making it the largest theft in the DeFi history.

2. The hacker managed to control four node validators and a third-party validator of the Ronin bridge, was able to reach the verifier threshold of the cross-chain bridge and successfully implement the attack.

3. At present, these highly valuable and easy to attack cross-chain bridge projects have become the serious targets of many hackers.

4. On January 5, Vitalik stated that the future of blockchain is "multi-chain" rather than "cross-chain", and emphasized the security problems of cross-chain.

On March 29, Ronin, the dedicated side chain of the largest chain game Axie Infinity, announced that it had been attacked and 173600 ETH and more than 25 million USDCs had been stolen. Ronin's loss value reached $616 million, surpassing 611 million in the Poly Network theft case last August, which has also become the largest theft in DeFi's history.

For the Poly Network theft case, please refer to our previous blog post: Poly Network Heist — Alarm Bells in DeFi Security


According to Ronin's official news, on March 23, hackers used the hacked private key to enter the system and forged two false withdrawals to realize the attack. It was not until March 29, five days later, that project officials discovered the attack because a user reported that 5000 ETH could not be withdrawn from the cross-chain bridge. After the theft, Ronin officials immediately stopped Ronin Bridge and Katana, a on-chain centralized exchange. In addition, Ronin officials also said that this attack shows the potential security problems of the Ronin bridge, and the security of the Ronin blockchain itself is still guaranteed.

As soon as the news came out, the prices of a variety of related assets, including AXS and RON, fell precipitously.



Hacker attack details

---

Axie infinity is currently the most popular blockchain game, with more than 10 million players worldwide. The game has created a far-reaching "play-to-earn" mode. Players can earn NFT assets or a variety of tokens during playing, and can be exchanged for other assets such as wETH and stablecoin on the exchange.

In order to meet the requirements of high-frequency props trading in the game and reduce the transaction handling costs, Axie Infinity did not use a more secure Ethernet main network, but built its own high-performance Ethernet side chain Ronin. In addition, in order to ensure the transaction speed, Ronin adopts a unique Proof-of-Authority (POA) consensus model, which has a small number of verifiers and a high degree of centralization. Authoritative proof requires these verifiers to have a good reputation. They need to stake their "reputation" to become verifiers. If the verifier shows signs of misbehavior or threatens the network’s security, the “reputation” will be negatively affected.


To play Axie Infinity, you need to have three NFT pets. The initial three Axies are tickets to the game and need to be purchased in the game store. For this reason, ETH on the Ethereum blockchain, must be converted into wETH on the Ronin chain. This process is done through a special cross-chain bridge. Furthermore we can use wETH to buy Axie in the game store. Here is where the cross-chain bridge became Ronin's weakness and the breakthrough of this hacker attack.

Previously, a total of nine validation nodes were jointly responsible for the maintenance of the cross-chain bridge. At least five signatures of the nine nodes were required to successfully identify the deposit and withdrawal events on the cross-chain bridge. In this attack, the hacker managed to control the private keys of four node validators and a third-party validator, reached the validator threshold of the cross-chain bridge, carried out the attack and withdrew the money successfully. It is reported that this additional third-party validator is managed by Axie DAO, but the white list permission issued by the node in the early stage has not been canceled. The attacker can obtain the signature of the validator through the non gas RPC node.

At present, Ronin has temporarily increased the cross-chain bridge validator threshold from 5 to 8 to temporarily eliminate the risk of further attacks. As of April 6, the Katana Dex on the Ronin chain has been reopened.


Cross-chain bridge: Achilles heel

---

The cross-chain bridge can transfer the on-chain assets from one blockchain to another. If the blockchain itself is compared to a solid brick, the cross-chain bridge is the "soft connection" between the blockchain and the blockchain. With the development of the whole blockchain industry, a variety of different public chains emerge endlessly. Because these public chains are not interoperable, the cross-chain bridge that can communicate with each other has become more and more important.

In this attack, hackers did not use the loopholes of the smart contract to attack, but attacked the cross-chain bridge between Ronin and Ethereum. And the attack method is also relatively primitive, directly stealing the private keys of multiple cross-chain bridge validation nodes. At present, a large number of cross-chain bridge projects use the multi signature technology similar to Ronin bridge, and these projects also face similar risks of being hacked. After a relatively strict code audit, the security of the blockchain itself has been guaranteed, and the cross-chain bridge with extremely high TVL has become the "Achilles heel" threatening the security of the blockchain.

According to Dune Analytics, Ethereum cross-chain bridge TVL alone has reached $21.06 billion. Among them, the TVL of Polygon, Avalanche, Arbitrum, Fantom and Near cross-chain bridges has exceeded $1 billion. These highly valuable and easy-to-attack cross-chain bridge projects have become the serious targets of many hackers.


In fact, in recent months, there have been many hacker attacks against cross-chain bridges. On January 27, 2022, Qubit Bridge was hacked and a certain USD amount was eventually transferred out; On February 2, the Wormhole Bridge was hacked as well and lost $320 million; On February 5, another cross-chain bridge, the Meter.io Bridge lost $4.2 million into the hacker’s hands.


On January 5, 2022, Vitalik, founder of Ethereum, stated on Reddit that the future of blockchain is "multi-chain" rather than "cross-chain", and emphasized the security problems of cross-chain. In a single blockchain, even in the worst case, it is still possible to restore the blockchain to its original state. Once cross-chain is involved, the problem is difficult to solve.


Conclusion

---

DeFi security has always been a major difficulty in the wide application of blockchain. In the world of “code is law”, if there are loopholes in the rules, it would be too bad. With the improvement of relevant technologies, we sincerely hope that a safer decentralized world can come as soon as possible.



Author: Gate.io Researcher: Edward H. Translator: Joy Z.
* This article represents only the views of the researcher and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.



Gate.io Featured Articles
Why Cross Chain Bridges Matter
TheDAO Theft：The Story of the Ethereum Hard Fork Explained
Aave V3 Launched, Leading the DeFi Sector Powerfully