April 7, 2022 · 6 min read

How $650M was Drained from Axie Infinity’s Ronin Network

When the Ethereum network launched, gaming was not at the forefront of its creators’ minds. Despite being cheaper and faster than the Bitcoin network, in addition to supporting smart contract deployment - it still did not adequately facilitate blockchain-based gaming. Real-time gaming requires near instant transfer of information, and is one of the most specification-demanding activities that computers can undertake. 

While Sky Mavis’ Axie Infinity originally launched natively on Ethereum back in 2018, it became evident that it was not the optimal home for the platform. With Ethereum’s increased adoption and network congestion over the years, transaction times and fees have both increased  - time has only made this problem worse. This is what ultimately led to Sky Mavis’ development of the Ronin Network - a layer 2 Ethereum ‘sidechain’ which launched in February 2021. 

(Source: Axie Infinity Whitepaper)

One of the most significant drawbacks of layer 2 solutions however is their decreased security as a result of their comparative centralisation. Lower levels of adoption and fewer validation nodes make L2s easier targets for exploits. That’s why Ronin has now overtaken Poly Network (another L2 solution which fell victim to a security exploit) to become the most costly hack in crypto history - to the tune of $650M visible in the attacker’s address.

What Went Wrong?  

To trace the incident back to its root cause - we need to look at a strategic development decision made by Sky Mavis late last year. By November 2021, the price of Axie Infinity’s AXS token had reached an all time high and the Ronin network was struggling to handle periods of high network-activity. As a result, a special arrangement was made between Axie DAO (Axie Infinity’s community governance organisation) and Ronin (its dedicated L2 chain for speedier transactions).

This arrangement entailed that Axie Infinity related transactions had access to a gas-free node, so that the user experience for Axie Infinity would be drastically improved during periods of high network usage. Essentially, this means that a portion of transaction validation requirements were waived for Axie Infinity, in the interest of speed. 

In itself, this would not necessarily have spelled disaster for the platform. If this arrangement had been carefully monitored, an attacker would likely not have had enough time to realise the opportunity it presented. The arrangement was only intended to last until the following month when network activity was predicted to have calmed. Crucially however, AxieDAO’s access to this gas-free node was never actually rescinded. This was an oversight which would not have amounted to anything - as long as Sky Mavis nodes were not compromised. At some point however, the attacker(s) had gained access to the private keys of these nodes.   

For a transaction to be approved on the network, only five of the network’s nine validator nodes are required to achieve consensus. Another network security flaw was the fact that no less than four of these nodes were operated by Sky Mavis themselves. In other words, the network was significantly centralised and a prime target for an exploit.  

All that was now required for bogus transactions to be verified was a security breach in Sky Mavis operated nodes to use AxieDAO’s signature - in order to validate whatever transaction the attacker(s) desired. In this instance, they desired a withdrawal of 173,600 ETH and 25.5M USDC - collectively worth over $650M. To make matters worse, the Sky Mavis team did not even realise that the exploit had occurred for six days - which would indicate that the security of the bridge was not being closely monitored.  

What Happens Now? 

The consequences of the incident (thus far) seem to have affected Ronin more so than Axie Infinity. Much of the Ronin Network’s functionality has been indefinitely suspended in the aftermath. In attempting to visit its website, visitors will be greeted with a message thanking them for their patience and stating that “maintenance is underway”.  

Hopefully the ‘magic’ of Ronin’s engineers will be enough.

Initially, the news resulted in Ronin’s RON token falling by 27.5% to a price of $1.74. However the token has now recovered slightly to a price of $1.98. Axie Infinity’s AXS token however fell only by 13.2 %, from a price of $71 to $61.60.

But it is not only the victims of the hack that have challenges ahead. Sometimes the most difficult part of orchestrating a hack is not the exploit itself,  but rather finding a means of extracting the funds from cryptocurrency whilst retaining anonymity.

There do exist privacy protocols such as Tornado Cash which allow users to hide destination addresses by generating a secret hash for every transaction. The Ronin attacker(s) have already been reported to have sent 200 ETH to this protocol and the platform has been utilised in many other high-profile crypto exploits to make tracking activity more difficult or impossible.

But while this technique may make a trail more difficult to follow, depositing tens of millions of dollars worth of assets into centralised exchanges which are required to carry out KYC and AML, even from addresses not associated with that of the hacker - is likely to raise significant suspicion. Regardless of how the attacker(s) attempt to legitimise their stolen funds, developers (particularly of sidechains and L2 scaling solutions) should heed the warning laid out by this attack -  more effort is required to maintain the security of a blockchain than to create it.   

Written by Rob Henderson for Novum Insights

*The information provided in this article by Novum Insights is for informational purposes only, we make no warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the article or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. None of the information provided is intended nor should be relied upon for the purposes of investment.