The Ronin Network and Sky Mavis have vowed to upgrade their smart contracts, offer lucrative bug bounties and ramp up security following the $600 million hack late last month.
As Cointelegraph previously reported, the Ethereum sidechain developed for the popular NFT game Axie Infinity was the victim of an exploit for 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) worth more than $612 million at the time.
Earlier this month the Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus, as it fired off a warning to other crypto and blockchain organizations.
Ronin announced its platform changes via a post-mortem report published yesterday, noting that all user funds are in the process of being restored as it vowed to make sure this “never happens again.”
We have put together a postmortem regarding the Ronin exploit that occurred on March 23rd.
The hack run down
The hack was the result of a spear phishing attack on a former Sky Mavis employee (developers of Axie Infinity). The bad actor was able to leverage the employee’s credentials to access Sky Mavis’s four validator nodes out of a total of nine in the Axie/Ronin ecosystem.
This by itself was not enough to do any damage, but “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked,” the report reads.
Following the hack, big changes are being implemented at both Sky Mavis and the Ronin Network.
The Ronin Network hopes to have its bridge open again by mid to late May, with Binance providing support until then with withdrawal and deposit infrastructure for Axie users.
The team is about 80% through upgrading Ronin bridge smart contracts, they’ll be reworking the backend, migrating all pending withdrawals and launching a validator dashboard that “allows for approving large transactions and adding/removing new validators.”
“The Ronin Network bridge is currently being redesigned and will open once we are confident that it can stand the test of time. We initially expected to be able to deploy the upgrade by the end of April, but this is not a process that we can afford to rush.”
Sky Mavis will ramp up its security measures by seeking the help of “top tier security experts,” conducting contract audits and implementing stricter internal procedures such as training courses to “combat external threats.”
Notably, it will also be significantly upping its node count to help decentralize the project. Having already increased from nine to 11, Sky Mavis intends to get that number up to 21 within three months. Longer-term, the project is eyeing more than 100 nodes.
Sky Mavis will also be launching bug bounties of up to $1 million for any white hat hackers who are able to find further vulnerabilities.
“We recognize the importance and value of security researchers’ efforts in helping keep our community safe. Sky Mavis is offering bounties of up to $1 million to encourage responsible disclosure of security vulnerabilities.”
- ^ ETH (cointelegraph.com)
- ^ USDC (cointelegraph.com)
- ^ more than $612 million (cointelegraph.com)
- ^ fired off a warning (cointelegraph.com)
- ^ https://t.co/FfwCtCG84E (t.co)
- ^ April 27, 2022 (twitter.com)
- ^ access Sky Mavis’s four validator nodes (cointelegraph.com)
- ^ Binance recovers $5.8M in funds connected to Ronin bridge exploit (cointelegraph.com)