- Type: Exploit
- Network: Ethereum
- Total lost: ~624MM USD
- Category:: Key Leak
- Vulnerable contracts:
-
- None
- Attack transactions:
- Attacker Addresses:
- Attack Block:: 14442835, 14442840
- Date: Mar 23, 2022
- Reproduce:
forge test --match-contract Exploit_RoninBridge -vvv
- Social engineer attack against key holders to get privileged keys
- Use the privileged keys to drain funds
The Ronin Bridge was operated by 9 validators with a threshold of 5 out of the 9. This threshold was misleading though, as 4 validators were operated by Sky Mavis. What is more: in Nov 2021, Axie delegated their validator's signature to Sky Mavis too. This delegation was supposed to be temporary, as Axie was experiencing heavy traffic. Nevertheless, it was never revoked.
As a result, Sky Mavis had 5 signatures. Enough to approve any message.
The attacker got control of the keys doing a social-engineer attack. Once they had it, the were able to call withdrawERC from the bridge without a backing transaction on the other side.
- Multisigs do not matter if in practice several keys are controlled by the same entity. Distribute keys to independent entities to actually enforce that several entities must agree with a transaction before executing it.
