03/30/2022
Last updated
By Safeheron Security Team
On March 29th, the Axie Infinity sidechain Ronin, the cross-chain bridge was stolen. The attacker used the hacked private key to forge fake withdrawals. At present, 173,600 ETH and 25.5 million USDC have been stolen from the Ronin bridge. The Ronin bridge and Katana Dex have suspended services right now.
Analysis By SlowMist
The incident started on March 23. $25.5 million USDC was transferred out of Ronin bridge and that was exchanged for ETH. Then the hacker first distributed 6250 ETH to various wallets. 1220 ETH has been transferred to FTX, 1 ETH to Crypto.com, and 3750 ETH to Huobi;
The Ronin bridge adopts a simple asset cross-chain model. Users transfer assets to Ronin cross-chain contracts on Ethereum, and the private key wallet controlled by Ronin mints ETH or USDC for users on the Ronin chain. If the user burns USDC and ETH on Ronin, the private key wallet controlled by Ronin signs the withdrawal certificate, and the user uses the withdrawal certificate to call the Ethereum cross-chain contract to redeem USDC, ETH, and other assets;
This means that the private key wallet controlled by Ronin is configured on the server and is accessible to third-party services, and there is a possibility of private keys being stolen on the server.
Safeheron Suggestion
The private key is best to be eliminated the single point of failure through Multi-Party Computation (MPC);
The private key shards are distributed to multiple hardware-isolated chips for protection;
There should be more policy approval protection for large capital operations, to ensure that fund transfer is well-informed and confirmed by the main person in charge as soon as possible;
The actual time of the theft is March 23, thus, the project should strengthen the monitoring of services and funds.
