Learnings from One of the Biggest Hacks in Blockchain History

Developed by Vietnamese studio Sky Mavis, the Non-Fungible Token-based video game Axie Infinity is well known for its in-game economy which uses cryptocurrencies. Last March, one of the biggest hacks in Blockchain history took place: more than $625M were stolen from the Ronin Network, an Ethereum sidechain that Axie Infinity uses to execute transactions. Although Blockchain technology has a secure infrastructure, this hack exposed the need for additional security management. Understanding the vulnerable spots of this case, we explain how to protect from a hack – both from a user and administrator perspective.

 

#Summary

  • The Ronin Network was hacked due to the low number of validators in the Blockchain and safeguarding of private keys.
  • Data tampering (ST2) and non-repudiation (ST6) were the security risks exploited to withdraw 73,600 Ethereum and 25.5M USDC through the Ronin bridge.
  • To prevent any hacking attacks, it is important to identify and implement security measures to protect both the network and the user private data.
  • One of the most common vulnerabilities comes from the End-Point Domain and can be solved with basic security measures stated in the security tips section below.
  • micobo provides businesses a secure infrastructure with Two Factor Authentication, secure data encryption, logging and monitoring, advanced DevSecOps, authentication and access control, data backups, service resilience, risk avoidance measures and decentralized issuing, securing assets with a 4-layer security protocol, state-of-the-art security procedures, a contingency policy, and information risk management.

 

What happened in the Ronin Network – The Hack

Ronin network is the blockchain used to enable Axie Infinity’s game transactions, such as buying ‘Axies’, land, and items to be used in the game. This network is a bridge between Axie Infinity and Ethereum to conduct transactions and transfers of cryptocurrency in and out of the game.

hack1

Figure 1. Axie Infinity´s Marketplace. Source: Axie Infinity (2022)

 

The problem started on March 23 of 2022 when a user reported the impossibility of withdrawing 5,000 ETH from the Ronin account. An investigation took course, finding one of the greatest hack in Blockchain history.

The attacker, presumably Lazarus Group, managed to get control over Sky Mavis’ four Ronin Validators and a third-party validator run by Axie DAO. The Ronin chain consists of 9 validators nodes: to validate a transaction, the system would need the signatures of at least 5 validators. This consensus protocol is very centralized making it more vulnerable to malicious attacks. To set an example, Ethereum has over 300K validators.

The attacker found a vulnerability in the gas-free RPC node, which was abused to get the signature for the Axie DAO validator. The result was the hack of 173,600 ETH and 25.5M USDC drained from Ronin bridge. The attacker used hacked private keys to withdraw the crypto funds.

Security Hacks in the Blockchain ecosystem

As in the banking system and the IT industry, Blockchains need to address security risks. Cyberattacks are common and usually target sensible information and large amounts of money. Furthermore, given the interconnection between centralized and decentralized systems that characterize blockchain applications (Lee, 2019), the system may be vulnerable to security breaches. Hence, a Blockchain system should also implement security protection for its components from cyberattack in the same way centralized systems do.

hack2

Figure 2. The biggest Crypto Heists. Source: Statista (2022)

 

Lee (2019) has identified 6 security threats (ST) in the overall Blockchain system in 4 different domains:

 

  • ST1-Data spoofing: A person or program pretend to be another by falsifying data to gain an illegitimate advantage, attempting to steal transmitting data, eavesdrop on communication channels or identify theft, breaking into a secure channel or interrupting user access.

 

  • ST2-Data tampering: User-submitted data is changed to malicious data. Data tampering exposes data manipulation causing incorrect or unintended system execution including component tampering, data corruption, data manipulation or ledger malleability that corrupts Blockchain protocol. This security threat was exploited in the Ronin network hack.

hack3

Figure 3. Four main security domains of blockchain system. Source: Lee (2019)

 

  • ST3-Denial of Service: An authorized user’s access to a computer network is interrupted with malicious intent. Denial of service could mean a system malfunction, an operation halt, or data corruption.

 

  • ST4-Privilege of escalation: Exposes centralized system components, such as Multi-Sig authentication or cryptocurrency exchanges, to cyberattacks involving system monitoring bypass, access control circumvention, or third-party security solution break-ins.

 

hack4

Figure 4. Major cybersecurity threats in the blockchain system. Source: Lee (2019)

 

  • ST5-Data Disclosure: Applied in system components designed to process or store sensitive data such as cold/hot wallet and online/offline storage. Data disclosure includes security risks like data loss or data theft.

 

  • ST6-Non-repudiation: Takes place in distributed application (dApps) such as smart contracts. This threat includes security risks such as consensus protocol manipulation, bypassing security logic, identity theft, data manipulation, user access control, re-entry/race condition and ledger malleability.

 

 

Back to Axie’s case: data tampering (ST2) and non-repudiation (ST6) were the security risks exploited to withdraw 73,600 ETH and 25.5M USDC through the Ronin bridge in Axie Infinity. The hacked domains were distributed application and end-point: While the former needs a security evaluation from the source code, the later needs security checks in terminals, computers, mobile devices through which users communicate with a Blockchain system for usage and services. This is considered a vulnerable area and the optimal target area for a potential attacker. Therefore, it is crucial to protect the end-user environment from malware attacks against personal computing devices, cross-site scripting attacks, or cross-site request forgery against user web browsers or computer virus infections.

 

What´s next? – Security tips in a Blockchain ecosystem

A major outcome of hacking attempts is the increasing robustness of blockchain security systems. Some of the major areas of focus are the source code, regular checks ups on code logic and user permissions. It is important that administrators, investors, exchanges, wallet providers and other stakeholders take an active participation in security protocols.

Here are some of the best security tips for users:

Private key:

  1. Use a Hardware Wallet for storing high value assets.
  2. Do not store your private key in a web browser.
  3. For high value security tokens or cryptocurrencies, store the private key in a deposit box from a bank.

 

Passwords/Credentials:

  1. Use different username/password for each service. This is possible with a password manager.
  2. Secure your password manager with 2FA (2 Factor Authentication)
  3. Change the password manager password regularly.
  4. Change passwords periodically.

 

Wallets:

  1. Use time-locked vaults that do not allow you to withdraw for a set of time.
  2. Use withdraw whitelist for addresses so that other addresses that were not predefined cannot withdraw money.
  3. Use IP address whitelist.
  4. Do not store your key phrases on cloud storage.
  5. Do not email yourself the key phrase.
  6. Consider water/fire proof devices.

 

Wallet Generation:

  1. Use highly trusted and reputable software to generate a wallet.
  2. Use an air gapped device that is not connected to an outside network: Air gapping is a security measure that involves isolating a computer or network and preventing it from establishing an external connection. For example, an air gapped computer is one that is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.
  3. An additional security measure can be using a laptop only to store crypto and do not connect it to the internet. Generate your wallets and then send security tokens or crypto to those addresses for storage.

 

Audit your account:

  1. Look for something out of the ordinary: Check the logins and devices registered, which APIs have access and their access level.
  2. Check this in exchanges, password manager, email, etc (most have this feature).
  3. Do these activities periodically, hackers take time to carry out an attack.
  4. Periodically check the permissions in the exterior systems.

 

Layer 2 solutions

  1. Best secure layer 2 solutions are usually optimistic rollups and zk-rollups. You can see the benefits and risks of different types of layer 2 solutions here and a comparison between rollups here.

 

Laptop and mobile security:

  1. Use an Antivirus. Usually, they offer network scan security.
  2. Get a Network connection detector: This outlines any inbound and outbound in your network, you can block or allow them. (For business security it must be reviewed more frequently)

 

Network security:

  1. Use a VPN for public places.
  2. Check your home router (applicable to home office as well). Set a secure password that differs from information that identifies you such as your identification number or your name. Check for strange connections you do not recognize.

 

Web browser security:

  1. Beware of unknown browser extensions, do not download them unless you are certain it is a trustworthy extension.
  2. Use privacy-focused such as Firefox, Epic, Tor among others.  

 

General security:

  1. Do not use SMS because SIM swap is very common and could be used in a hack. Use google voice or google authenticator authy which is more secure than text. (Business Insider)

 

Infrastructure security:

micobo provides a secure infrastructure with Two Factor Authentication, secure data encryption, logging and monitoring, advanced DevSecOps (Using Terraform for reproducible environments, with several security tools for code and container analysis), authentication and access control, data backups, service resilience and risk avoidance measures, and decentralized issuing. Furthermore, micobo secures assets with a 4-layer security protocol, state of the art security procedures, a contingency policy and information risk management.

For more details on micobo’s security measures you can visit our webpage section on Bank-Grade Security.

 

About micobo

 

micobo GmbH is a leading European software company for Security Token Offerings and Blockchain Software Development (DLT). It provides fully compliant software solutions for Security Token Offerings and advises on structuring DLT- and Blockchain-based Securities. micobo empowers financial institutions with state-of-the-art technology focusing on providing a better customer experience and achieving measurable results.

 

Author

Laura Andrade (la@micobo.com)

Collaborators

Mia Simo (ms@micobo.com)

Andreas Alin

Bidisha Bera 

Bibliography