On Wednesday March 30th, SkyMavis announced that their Ronin Bridge had been hacked and about $625M worth of Ethereum and USDC had been stolen. The amount was later corrected as “$541M at the time of the breach,” and is the second-largest crypto hack in history. The record for largest hack remains with the Poly network theft of August 2021 by a margin of $70M. (Perhaps most distressingly, the Ronin hack was discovered a full week after it had actually been perpetrated, on March 23rd.)
Let’s start with the basics. The Ronin Bridge is a part of the Ronin blockchain network, so it exists alongside services like the Katana decentralized exchange, the Axie Infinity marketplace, and the AXS staking pool. Its primary function is to allow the transfer of assets from the Ronin world to the Ethereum world, kind of like the Rainbow Bridge in the Thor movies, which connects the kingdom of Asgard to places like Earth. Without the Ronin Bridge, you wouldn’t be able to move your SLP earnings from the world of Ronin to the world of Ethereum. Except, well … that’s not exactly accurate. Before the Ronin Bridge, we were already using centralized exchanges like Binance as a quasi-bridge to the outside world. Once you got your SLP earnings transferred over to Binance, you could do all sorts of things with it, including converting them into pesos. It was such a popular method, in fact, that the majority of Axie players still use that strategy to this day.
So although the Ronin Bridge is the “official” way to transfer your tokens from the inner world to the outer world, it is not the most accepted way to do it. This is a critical piece of information because when the mainstream media started covering the hack, there was this knee-jerk narrative of low-income gamers collectively losing over $600M as a result of the security flaw. As far as we can tell, none of YGG’s scholars were affected by the hack, because its impact was limited to a part of the Ronin ecosystem that our scholars don’t actively use.
Who did these funds actually belong to then? A part of those funds belonged to institutions, whales, and yield farmers who deposited their ETH and USDC into the Ronin system in order to provide liquidity for the Katana DEX. (I was one of those farmers.) There was about $300M in total liquidity in the Katana DEX before the hack. I’m unsure of the status, but the Analytics page seems to indicate that it’s still there, and I can still look up the status of my RON/WETH and SLP/WETH yield farms even though the whole exchange is paused right now.
But how did the hack actually happen? The Ronin Bridge is run by a group of validators — these are just computers that work together to verify that the transactions that are going through the bridge are legit. Some of these computers belong to SkyMavis, while others belong to partners in the ecosystem. In total, there were only 9 validators at the time of the attack, and only 4 of those belonged to SkyMavis directly. The validators control a wallet with A LOT of money in it, because you need a really big buffer if you want to be able to potentially move an entire community’s funds from the Ronin world over to the Ethereum world, and vice versa. In order for funds to be released from the bridge wallet, the system required 5 of the 9 validators to approve the transfer. The hacker was able to meet that requirement by using social engineering to get the private keys of the 4 SkyMavis validators, and one other set of keys from AxieDAO. With 5 keys, you basically have control over the bridge, since that’s the minimum requirement for transaction approval.
Bitcoin folks (or any Ethereum people who use Gnosis Safe) will be familiar with the security setup above. It’s basically just an m-of-n signature scheme, where “m” is the minimum number of signatures required to approve a transaction and “n” is the total number of stakeholders. In most small crypto companies — including my old company Bloom — 3-of-5 is an acceptable level of security. In order for a hacker to steal the company’s crypto, they would need to hack 3 out of the 5 signatories. Since we were all living apart from each other and using hardware wallets like Ledgers or Trezors, it seemed like a reasonably difficult challenge for a hacker to visit each of us in turn in Australia, La Union, Batangas, Metro Manila, etc. That said, assuming someone had the inclination to knock on our doors, there would be no real technical challenge in getting us to part with our respective private keys. A pipe wrench to the face will usually suffice in these instances. The difference with the Ronin Bridge setup was that all of the private keys were stored online. They had to be, because the bridge is an automated service. SkyMavis hasn’t described exactly how the social engineering attack worked, but I surmise that it was based on false identity.
So what’s SkyMavis doing at this juncture? Two things simultaneously: the first is that they’re working with law enforcement and blockchain forensics to track down the hacker … and probably deliver their own version of the proverbial “pipe wrench to the face”. The second is that they’re adding more validators to the Ronin network as well as increasing the number of required signatories for each transaction. No word yet on who the other validators will be, but I’d say spreading out the responsibility to more members of the community (YGG would love to help here) would go a long way towards rebuilding trust in the protocol.
On a more reassuring note (this is not my forte, but let me try anyway), I should probably mention that although hacks in the crypto world are unfortunately pretty common, the industry as a whole is getting better at dealing with them. Both Binance and Huobi immediately moved to block transactions from the Ronin hacker’s address, for example. And let’s not forget that even with the Poly Network hack, the ultimate outcome was that the hacker returned $600M. The $325M lost from the Wormhole hack from earlier this year was also restored to affected users. Heck, even with the granddaddy of hacks, MtGox, the original investors are all actively being repaid. So although I am a little worried about my Ronin yield farms being in danger right now, I’m cautiously optimistic that we’ll see a positive resolution for everyone involved in the coming weeks.
Hope you all have a good weekend, cryptofam!
I have a Ethereum address to pull out 186,578 dollar