Unpacking the $625M Ronin Network Heist: Independent Postmortem

In March 2022, the Ronin Network fell victim to a cyber heist that resulted in the theft of $625 million in cryptocurrency. This incident, attributed to the Lazarus Group, stands as the largest DeFi hack in history to date. It employed sophisticated social engineering tactics to compromise the key security mechanisms of the Ronin Bridge. This independent postmortem aims to dissect the events leading to the breach, evaluate the methodologies used, and explore measures that could potentially fortify defenses against future attacks. This was written based on public information and might contain inaccuracies.

The Hack's Chronology

On March 23, 2022, hackers extracted 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) from the Ronin Bridge Ethereum smart contract. The withdrawals weren't noticed until March 29, 2022, when a significant user contacted support about an inability to withdraw funds. The bridge was closed to ensure that no more funds could be withdrawn from it.

The Intricate Web of Deception: The Lazarus Group's Social Engineering Mastery

According to insiders The Block interviewed the breach was orchestrated through an elaborate social engineering attack targeting a senior software engineer at Sky Mavis. By posing as recruiters from a non-existent company, the attackers exploited the professional networking platform LinkedIn to establish contact with their target. After a series of deceptive interviews, the engineer received a PDF disguised as a job offer. This document contained malware that, once opened in a vulnerable PDF reader, infiltrated Sky Mavis' systems, setting the stage for the subsequent financial theft.

The Vulnerable Point: Ronin Bridge's Proof of Authority (PoA) Consensus Mechanism

The Ronin Bridge was underpinned by a Proof of Authority (PoA)consensus mechanism, necessitating the approval of five out of nine validators for any transaction to be validated. Sky Mavis controlled four of these validators, all of which fell victim to the attackers. The crucial fifth validator, owned by Axie DAO, was compromised through a backdoor that had been discreetly installed months prior.

The critical breach of this fifth validator originated from temporary permissions granted to Sky Mavis in November 2021, intended to facilitate service maintenance during a period of exceptionally high demand. Unfortunately, these permissions were not rescinded after their intended use, leaving a vulnerable entry point that was later exploited.

Vulnerabilities in Blockchain Bridges

The breach highlighted significant vulnerabilities inherent to blockchain bridges, which facilitate transactions between distinct blockchain networks through external validation mechanisms. Blockchain bridges vary in their operation, yet they typically involve processes of token locking or burning on the source blockchain and the subsequent creation or release on the target blockchain. Given the separate nature of these blockchains, direct validation of token status changes on the source blockchain by the target blockchain is not possible. Instead, these operations are verified off-chain using some consensus mechanisms. In the highlighted incident, a consensus mechanism requiring validation from nine nodes was in place. The compromise of these nodes allowed attackers to illicitly withdraw assets from the target blockchain without equivalent deposits on the source side, exposing a critical security flaw in the bridge's design.

Money Laundering Efforts

Twenty-two days after the tokens were transferred to the hacker's wallet, the Office of Foreign Asset Control (OFAC) imposed sanctions on the wallet. Laundering a large amount of Ethereum is inherently challenging. The primary objective for hackers is to break on-chain links to the wallet identified with the hack. Businesses or individuals accepting cryptocurrency might be wary of funds directly linked to such illicit activities, and converting these assets into fiat currency like USD could risk exposing the launderers' identities.

The hackers employed two primary methods to dissociate the stolen funds from the hack. Initially, they utilized Tornado Cash, a service that anonymizes transactions by pooling Ethereum-based tokens from various sources, effectively obfuscating the trail between incoming and outgoing wallets.

However, given the substantial amount of 173,600 ETH, Tornado Cash's process was too slow for the hackers' needs, prompting them to turn to blockchain bridges as an alternative. Although bridges facilitate quicker laundering, they are more susceptible to tracking. This is because, unlike Tornado Cash, where identical amounts are mixed, bridges process variable amounts, making it easier to track significant sums transferred in close temporal proximity across chains.

As of the latest update, approximately 102 ETH remain in the wallet directly connected to the hack. $30 million of the stolen funds were recovered by September 8, 2022. There hasn't been reports of any other significant breakthroughs in this case.

Lessons Learned and Preventative Measures

The incident sheds light on several critical areas for improvement:

1. Intensified Social Engineering Training: Ongoing education and drills can improve vigilance and defenses against sophisticated social engineering strategies. The incident underscored the complexity of such attacks, as revealed by Sky Mavis in their postmortem, highlighting that their staff was already a target of frequent spear-phishing attempts, indicating some level of prior training.
2. Stringent Software and Hardware Management: Regular updates and security patches for all software and devices can lessen the likelihood of malware breaches. In this scenario, malware was likely introduced through an outdated PDF reader on an employee’s computer, suggesting a need for rigorous software management.
3. Further Decentralization of Control: Although the requirement for transactions to be verified by 5 out of 9 nodes suggested a degree of decentralization, the hackers' ability to access four keys simultaneously and a fifth with minimal effort points to a vulnerability. A more isolated and diversified distribution of keys could prevent such widespread access.

   Decentralization exists on a spectrum, and in this instance, the degree of decentralization was closer to what one might consider centralized. It suggests the possibility that insiders alone could have executed this type of hack, highlighting a significant security risk. In response to this vulnerability, the Ronin network has since enhanced its framework, adopting a much more decentralized validation system to mitigate such threats.

4. Restriction of Work Devices for Professional Use: The breach highlighted the risks associated with using personal devices for work-related purposes, especially if they connect to internal networks. Separating personal and work devices can improve security.
5. Robust Monitoring and Response Systems: Implementing comprehensive monitoring tools and protocols can expedite the detection of unauthorized activities, minimizing potential damages. There were approximately 2 minutes between the transactions so even with an automated system it might have been difficult to stop the second transaction. From trust point of view it was a failure to take so long to notice. Organizations can create trust even in this kind of events by being top of the situation all the time. Sky Mavis did good job after the incident was recognized by bringing in experts, closing services temporarily, and ensuring users that all funds would be recovered.
6. Clear Procedures for Access Revocation: In the postmortem they didn't recognize it directly as an issue themself but the fifth node were compromised because there had been a few months before a situation where Sky Mavis needed to use it but the access were never revoked. This kind of action that compromised decentralization/security for efficiency might have been acceptable tradeoff but it should have been treated with proper care and someone should have owned revoking the access when it wasn't anymore needed. Adding more nodes doesn't help if enough of them can be compromised at once. They did mention auditing and this kind of risk could have been noticed in it but it seems more internal process failure.

Following the breach, Sky Mavis transitioned the Ronin Network from a Proof-of-Authority to a Delegated Proof-of-Stake (DPoS) consensus mechanism, aiming for a more decentralized and secure framework. Additionally, a $150 million fundraising round was secured to cover the losses, underscoring the community's resilience and commitment to security enhancements.

Conclusion

The Ronin Network heist serves as a stark reminder of the cybersecurity threats looming over the DeFi space. It underscores the importance of robust security measures, continuous vigilance, and the inherent challenges of securing decentralized networks. As the blockchain ecosystem evolves, so too must the strategies to protect it, ensuring the integrity and trust that form the foundation of decentralized finance.