The cryptocurrency field is relatively new. Therefore, the tricks used by hackers to scam people are also novel. During market unrest in March, the crypto users faced the largest exploit in the DeFi [decentralized finance] history. On 29th March, the Ronin network’s official substack noted an exploit affecting the validator nodes for Sky Mavis, the publishers of the popular Axie Infinity game, and the Axie DAO.
Even though investigators and the members of the US government pinned the blame on the notorious hacking group Lazarus from North Korea, research by a media publication revealed that a fake job posting could have been the real reason for Ronin’s undoing.
A Hack Job
Axie Infinity was a giant platform that enabled users to earn a living through playing games. At its peak, it reported 2.7 million daily active users and $214 million in weekly trading volume- mainly from its in-game NFTs. However, these numbers have been sitting at low levels since its hay days.
Reportedly, a fake job posting by a non-existent company lured the hackers into the system leading to a historical exploit of the DeFi network. On investigation by The Block, it was revealed that staff at Axie Infinity developers, Sky Mavis, were approached by people belonging to this non-existent company for jobs through professional networking sites such as LinkedIn. Amid this, a senior engineer at Axie Infinity was tricked into applying for a job at this fake company.
A source revealed that the interview process consisted of multiple rounds, after which the Sky Mavis engineer was offered a job with a handsome compensation package. The offer was delivered in the form of a PDF document, which, upon download, installed a spyware to infiltrate Ronin’s system. It was a cakewalk for the hackers, who managed to take over four out of nine validators on the Ronin network, leaving them one validator short of taking total control.
Per definition, Validators are responsible for several functions taking place on a blockchain, like the formation of blocks and updating oracles. Ronin used a “proof-of-authority” system for signing transactions, thus, concentrating power in the hands of nine validators.
In the post-mortem report, Sky Mavis acknowledged that its employees were under constant advanced spear-phishing attacks, which is how one of its employees got compromised. It had added,
“This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
An incident report from Elliptic explained that the DeFi hackers could get hold of five private cryptographic keys belonging to the validators, which was enough to steal the crypto assets. However, as noted earlier, they could get only four keys through the fake job posting. So how did they get the fifth Key?
The final Key
As per the post-mortem report, Sky Mavis revealed that the hackers exploited the Axie DAO [Decentralized Autonomous Organization] set up to get the fifth Key. Per the developer, it has asked the DAO for help dealing with the transaction load in November 2021. It stated,
“The Axie DAO allow listed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”
Lock and Key
Since the incident, countless efforts have been made by the DeFi space to secure its platforms and users from hackers. Consequently, Sky Mavis also increased the number of validator nodes to 11, with a long-term goal of having more than 100 nodes.
Although Sky Mavis and LinkedIn refused to comment on the hack’s specifics, ESET’s research showed that the North Korean hacking group had abused LinkedIn and WhastApp by posting as recruiters and targeting aerospace and defense contractors. However, it did not tie this method to the Ronin hack.
Although Ronin was not the only hack in the DeFi space, it was definitely the biggest. Similar hacks took pace earlier on Poly Network, Wormhole, Beanstalk, and Vulcan Forged, each crossing a loss of over $100 million. Preventing these attacks is of utmost priority as the DeFi industry has already suffered $3 billion in irreversible losses due to hacks.
As we enter the new age of the internet with web 3.0 and the Metaverse, more measures need to be taken to secure the DeFi platforms from hackers, one of which was using white hat hackers to find existing bugs on the platform. Several bug bounty programs are already in place, and some hackers even made it as employees with a change of heart. However, these were still temporary measures, and a robust security system is needed to keep the funds SAFU!