Following the $600 million hack last month, the Ronin Network and Sky Mavis have promised to enhance their smart contracts and give substantial bug bounties, as well as increase security.
An exploit on the Ethereum sidechain built for the popular NFT game Axie Infinity resulted in a loss of 173,600 ETH and 25.5 million USDC, valued at roughly $612 million at the time.
The assault was attributed to North Korea-based and state-sponsored hacking group Lazurus by the FBI this month, after which it fired off a warning to other crypto and blockchain firms.
Following the news that it would be changing its platform, Ronin announced yesterday a post-mortem report in which it stated that all user funds are presently being restored, as promised.
What happened during the hack
The hack was carried out by a malicious insider who had gained access to the network of a former Sky Mavis employee — creators of Axie Infinity. The attacker was able to use the employee’s credentials to log in to Sky Mavis’ four validator nodes, which made up half of the nine in the Axie/Ronin ecosystem.
The hacker exploited a backdoor into their gas-free RPC node to obtain the signature for the Axie DAO validator.
“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked,” the report reads.
Following the breach, Sky Mavis and the Ronin Network have made significant changes.
The Ronin Network expects to have its bridge open again by mid-May, with Binance continuing to provide access until then.
The team is working on upgrading Ronin bridge smart contracts, with 80% complete and the backend being updated, all pending withdrawals will be reworked, and a validator dashboard that “allows for approving large transactions and adding/removing new validators” will be launched.
Sky Mavis will invest in “top-tier security experts,” conduct contract audits, and establish stricter internal procedures such as training courses to combat external threats.
The company has also indicated that it will double its node count to help decentralize the project. Sky Mavis intends to triple its node number from nine to 21 in three months, extending the term. The project plans for more than 100 nodes in the long run.
Sky Mavis will also be offering white hat hackers who discover additional vulnerabilities up to $1 million in bug bounties.