Original title 《2022 The biggest security event of the year , super 6 Billion dollars stolen ！Ronin A brief analysis of the cross chain bridge attack ？
super 6 Billion dollars of cryptocurrency stolen
3 month 29 Japan , Blockchain project platform Ronin Announced to be hacked , About super 6 Billion dollars of cryptocurrency stolen .
According to the Ronin Express ,3 month 23 The day unidentified hackers entered the system , steal 173600 gold Ether Coin and 2550 over USD Coin The coin .
This incident was in 3 month 29 It was discovered on the th , The reason is that a user cannot remove 5000 Ether money , The attack first occurred in 3 month 23 Japan .
3 month 23 Japan 13:29 Sub theft 173600 gold ETH
3 month 23 Japan 13:31 Sub theft 25500000 gold USDC
6 How billion dollars of virtual currency was stolen ？
Ronin It's a global hot NFT game Axie Infinity The underlying blockchain . Cryptocurrency holders often operate in more than one blockchain ecosystem , Therefore, developers have built a cross chain bridge , Let users send cryptocurrency from one chain to another . Use this bridge , Players can use Ethereum or USDC Deposit in Ronin, And use it to buy non homogenous tokens (NFT) Or in-game currency . Players can also sell their in-game assets and withdraw funds .Ronin and Axie Infinity Both belong to operators Sky Mavis.
according to the understanding of ,Ronin The chain is currently made up of 9 It consists of two verification nodes . To identify deposit events or withdrawal Events , Five of the nine verifiers need to sign . The attacker managed to control Sky Mavis The four one. Ronin Verifier and one by Axie DAO Run a third-party verifier （2021 year 11 month , at that time Sky Mavis request Axie DAO Help distribute free deals , Because the user load is huge .Axie DAO allow Sky Mavis Sign various transactions on its behalf . And has 2021 year 12 Monthly stop , But the permission list access is not revoked . The attacker passed through No gas RPC The node found a back door , Once the attacker gets Sky Mavis Access to the system , They will be able to do this through the use of gas RPC from Axie DAO The verifier gets the signature ）. After destroying five of the nine validator nodes , An attacker can threaten the security of any transaction , And withdraw any funds they want .
Sky Mavis Express , After the event , They will increase the number of nodes required by the exchange to 8 individual , Once it is determined that no more funds are available , It will “ In the future ” reopen Ronin .
6 Where did the $100 million stolen virtual currency go ？
After the incident came to light , Chengdu Lianan is adopted “ Chain must chase — Intelligent research and judgment platform for virtual currency cases ”（ Hereinafter referred to as chain must chase ） Tracking stolen virtual currency , Results show ：
1、 The stolen virtual currency of the project was transferred to the hacker's address , The address is ：
2、 Hackers will steal USDC After transferring to two addresses , To exchange for ETH Back to the hacker's own address .
0x665660f65e94454a64b96693a67a41d440155617 This address , take 14500000 gold USDC convert to 4870.14 gold ETH, And return to the hacker's address ;
Oxe708f17240732bbfa1baa8513f66b665fbc7ce10 This address will 11000000 gold USDC convert to 3694.54 gold ETH, And return to the hacker's address ;
3、 Hackers have 4970.95 gold ETH Flow through 15 After a transfer address , Into the address of fire currency and other exchanges .
We pass the address analysis module of chain chase , Enter the hacker address 0x098b716b8aaf21512996dc57eb0615e2383e2f96, Find out 3 month 28 Day hackers will 4970.95 gold ETH Transferred to fire currency and other exchanges . The address of the flow to the exchange is as follows ：
1） inflows HUOBI（ Fire money exchange ） The address of 1：
0x73f8fc2e74302eb2efda125a326655acfodc2d1b, About 2500ETH;
2） inflows HUOBI（ Fire money exchange ） The address of 2：
0x28ffe35688ffffd0659aee2e34778b0ae4e193ad, About 1250ETH;
3） inflows FTX The address of the exchange is ：
0xc098b2a3aa256d2140208c3de6543aaef5cd3a94, The total inflow is about 1219.96ETH;
4） inflows Crypto.com The address of the exchange is ：
0x6262998ced04146fa42253a5c0af90ca02dfd2a3, The total inflow is about 0.99ETH;
4、 Hacker address balance ：175913.70 ETH
Chengdu Lianan will continue to pay attention to the follow-up progress of the incident , And further monitor the funds on the chain , If you have the latest news , Will be the first time for you to share .
Axie Infinity Side chain Ronin Under attack , It also gives us a lot of enlightenment , Chengdu Lianan gives the following suggestions for such cross chain bridge projects :
1、 Pay attention to the security of the signature server ;
2、 When the signature service goes offline , The strategy should be updated in a timely manner , Close the corresponding service module , And consider discarding the corresponding signature account address ;
3、 In case of multi sign verification , Multiple sign on services should be logically isolated , Independently verify the signature content , It is not allowed that some verifiers can directly request other verifiers to sign without verification ;
4、 The project party shall monitor the abnormal situation of project funds in real time .