There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2).
The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.
Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight.
We are in touch with security teams at major exchanges and will be reaching out to all in the coming days.
We are in the process of migrating our nodes, which is completely separated from our old infrastructure.
We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained.
We have temporarily disabled Katana DEX to due to the inability to arbitrage and deposit more funds to Ronin Network.
We are working with Chainalysis to monitor the stolen funds.
We are working directly with various government agencies to ensure the criminals get brought to justice.
We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users' funds are lost.
Sky Mavis is here for the long term and will continue to build.