The Ronin Bridge Hack

Imagine being the victim of a $625 million exploit and not learning about it until six days later, when a user complained that he was unable to withdraw 5,000 ether from the bridge. The Ronin Network of Axie Infinity experienced the same thing. This is one of the biggest exploits in defi is this one.

Let’s now discuss the specifics of how this breach occurred and the present situation. Before we begin, let’s learn about sidechain because Ronin is also an Ethereum sidechain that was released in February 2021. This will make the notion easier to comprehend.

Sidechain

The sidechain take over some of the workload from the main Blockchain in order to help main Blockchain in processing transaction. SideChain is a separate blockchain which in connected to another Blockchain through two-way bridge. You definitely must have heard of Polygon Blockchain which is sidechain of Ethereum Blockchain. Similar to Ethereum, sidechains contain validating nodes that process and verify transactions, create blocks, and record the state of the blockchain.

Things you should know about sidechain:

1. Sidechains are more centralised than main blockchains in order to achieve high throughput.
2. Sidechain can have separate block parameters and consensus algorithms
3. In contrast to Ethereum, which place limits on block times and block sizes, sidechains frequently use different parameters, such as faster block times and higher gas limits, to achieve high throughput, quick transactions, and cheap fees.

In order for a separate blockchain to become a sidechain to Ethereum Mainnet it needs the ability to facilitate the transfer of assets from and to Ethereum Mainnet. This interoperability with Ethereum is achieved using a blockchain bridge. In this process currency and tokens are not actually moves but two important process take place which involve minting and burning to transfer value across chains.

Although bridges helps us to achieve high throughput, fast transactions, and low fees they come with big security risk. Bridges account for the top three biggest hacks in DeFi and are still in the early stages of development.

Now that you have a decent understanding of how sidechains function, let’s look at what occurred to the Ronin chain, which led to one of the largest DeFi exploits.

Ronin was launched as an Ethereum side-chain in Feb 2021 to provide the fast, cheap transaction throughput necessary for a play to earn game to function.

Ronin works on Proof of Authority consensus model. In this model validators put their identity, reputation at stake. The validators are limited so it make this model highly scalable. POA can deliver fast transaction but it also bring centralization. In order to maximise TPS, decentralisation and trustlessness were neglected in favour of a Proof of Authority model

Ronin Hack

In Ronin bridge they have nine validators in which they need consensus of five nodes to approve transactions, and a deposit or withdrawal requires approval by a majority of five of these nodes. Four validators are controlled by Sky Mavis, which works on developing blockchain based games. Its first game is Axie Infinity only. If the attacker gain control of these four validators they just need to gain one more to initiate the deposit and withdraw transactions. And thats what happened. The attacker gained control of four validators controlled by Sky Mavis and a third-party Axie DAO validator.

In November 2021, Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. So Axie DAO temporarily allowed Sky Mavis to sign transactions on its behalf. A gas-free RPC node was established to ease costs for users during a period of heavy network traffic. It was supposed to discontinued in December 2021, but the allowlist access was not revoked, meaning that Sky Mavis could still generate signatures for Axie DAO.

The attacker who had compromised Sky Mavis validators can now also use Axie Dao signature necessary to approve transactions.

The attacker then authorised two withdrawals, draining first 173,600 ETH and then 25.5M USDC from the Ronin Bridge contract.

On 14th April 2022 the FBI attributed North Korea based Lazarus Group to the Ronin Validator Security Breach.

This case shows the real importance of decentralisation.

Current Status

1. They are planning to re-opening the Ronin Bridge on June 28th, with all user funds returned.
2. The Bridge opening is contingent on a Ronin hard-fork which requires all validators to update their software.