There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions. The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.
These validator nodes act as a means to prevent criminals making off with lots of money. In order to put together a bogus transaction, they’d need to gain access to 5 out of 9 validator nodes. The successful attack happened over 2 stages.
An unwary employee provided one foot in the door. An unrevoked permission elsewhere kicked it wide open.
The trap is set
According to The Block, everything fell into place thanks to a senior engineer at the game developer. Two inside sources claim the engineer was fooled by a fake job offer. In fact, it seems multiple employees were approached and encouraged to put in applications. Scams originating from LinkedIn accounts are popular at the moment. As it happens, this is where scammers tried to persuade various people on the development team.
One individual is all it took to empty out a big slice of cryptocurrency funds. A job offer made after several interviews was enough to convince the victim to get on board. Perhaps the “extremely generous” compensation package offered should have set off some alarm bells. Having said that, anything digital finance related likely has huge amounts of cash available.
We rate this job offer a 4 out of 5
Unbeknownst to the engineer, everything came crashing down once they received the job offer. A booby-trapped PDF granted the attackers access to Ronin systems, and they were able to compromise 4 out of the required 5 nodes.
Just one node remained to be compromised. How did they do it?
Step up to the plate, non-revoked access. When employees leave an organisation, it’s a good idea to remove access to networks and devices. Unknown entities will happily make use of unattended credentials or permissions. Sure enough, that’s what happened here.
Nudging a node
A Decentralised Autonomous Organization (DAO) is a way for people in a community to make decisions on a project. The developers approached an Axie DAO for assistance with transactions in November 2021. Ultimately, this is where the fifth node compromise starts to take shape. The issue isn’t that the DAO exists. The issue is the permissions granted to the DAO.
From the Substack post detailing the attack:
At the time, Sky Mavis controlled 4/9 validators, which would not be enough to forge withdrawals. The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.
Who takes the blame?
In April, the US Department of Treasury pinned this one on North Korean hacking group Lazarus. Research elsewhere details Lazarus attacks on both the aerospace and defence sector involving bogus job posts. There’s no mention of those attacks having any connection to what happened above. However, the research does highlight further recruitment scams using LinkedIn as the starting point.
Whether you’re operating in a cryptocurrency / web3 realm or not, forgotten permissions could cost you dearly. There’s also the fake job offer approach to consider, too. In recent months we’ve seen other game developers targeted. Deepfakes are now worming their way into the bogus job scene. Malware is rife in this sort of operation, so please be cautious around any promising new offer.