Chengdu Lianan: brief analysis of ronin's Cross Chain Bridge attack

Chengdu Lianan 2022-04-04 10:57:21 阅读数:655

chengdu lianan brief analysis ronin
Ronin A brief analysis of the cross chain bridge attack

Original title 《2022 The biggest security event of the year , super 6 Billion dollars stolen !Ronin A brief analysis of the cross chain bridge attack ?

super 6 Billion dollars of cryptocurrency stolen

3 month 29 Japan , Blockchain project platform Ronin Announced to be hacked , About super 6 Billion dollars of cryptocurrency stolen .

According to the Ronin Express ,3 month 23 The day unidentified hackers entered the system , steal 173600 gold Ether Coin and 2550 over USD Coin The coin .

 picture picture

This incident was in 3 month 29 It was discovered on the th , The reason is that a user cannot remove 5000 Ether money , The attack first occurred in 3 month 23 Japan .

 picture picture

3 month 23 Japan 13:29 Sub theft 173600 gold ETH

 picture picture

3 month 23 Japan 13:31 Sub theft 25500000 gold USDC

6 How billion dollars of virtual currency was stolen ?

Ronin It's a global hot NFT game Axie Infinity The underlying blockchain . Cryptocurrency holders often operate in more than one blockchain ecosystem , Therefore, developers have built a cross chain bridge , Let users send cryptocurrency from one chain to another . Use this bridge , Players can use Ethereum or USDC Deposit in Ronin, And use it to buy non homogenous tokens (NFT) Or in-game currency . Players can also sell their in-game assets and withdraw funds .Ronin and Axie Infinity Both belong to operators Sky Mavis.

 picture picture

according to the understanding of ,Ronin The chain is currently made up of 9 It consists of two verification nodes . To identify deposit events or withdrawal Events , Five of the nine verifiers need to sign . The attacker managed to control Sky Mavis The four one. Ronin Verifier and one by Axie DAO Run a third-party verifier (2021 year 11 month , at that time Sky Mavis request Axie DAO Help distribute free deals , Because the user load is huge .Axie DAO allow Sky Mavis Sign various transactions on its behalf . And has 2021 year 12 Monthly stop , But the permission list access is not revoked . The attacker passed through No gas RPC The node found a back door , Once the attacker gets Sky Mavis Access to the system , They will be able to do this through the use of gas RPC from Axie DAO The verifier gets the signature ). After destroying five of the nine validator nodes , An attacker can threaten the security of any transaction , And withdraw any funds they want .

Sky Mavis Express , After the event , They will increase the number of nodes required by the exchange to 8 individual , Once it is determined that no more funds are available , It will “ In the future ” reopen Ronin .

6 Where did the $100 million stolen virtual currency go ?

After the incident came to light , Chengdu Lianan is adopted “ Chain must chase — Intelligent research and judgment platform for virtual currency cases ”( Hereinafter referred to as chain must chase ) Tracking stolen virtual currency , Results show :

1、 The stolen virtual currency of the project was transferred to the hacker's address , The address is :


 picture picture

2、 Hackers will steal USDC After transferring to two addresses , To exchange for ETH Back to the hacker's own address .

1) adopt

0x665660f65e94454a64b96693a67a41d440155617 This address , take 14500000 gold USDC convert to 4870.14 gold ETH, And return to the hacker's address ;

 picture picture

 picture picture

2) adopt

Oxe708f17240732bbfa1baa8513f66b665fbc7ce10 This address will 11000000 gold USDC convert to 3694.54 gold ETH, And return to the hacker's address ;

 picture picture

 picture picture

3、 Hackers have 4970.95 gold ETH Flow through 15 After a transfer address , Into the address of fire currency and other exchanges .

We pass the address analysis module of chain chase , Enter the hacker address 0x098b716b8aaf21512996dc57eb0615e2383e2f96, Find out 3 month 28 Day hackers will 4970.95 gold ETH Transferred to fire currency and other exchanges . The address of the flow to the exchange is as follows :

 picture picture

1) inflows HUOBI( Fire money exchange ) The address of 1:

0x73f8fc2e74302eb2efda125a326655acfodc2d1b, About 2500ETH;

2) inflows HUOBI( Fire money exchange ) The address of 2:

0x28ffe35688ffffd0659aee2e34778b0ae4e193ad, About 1250ETH;

3) inflows FTX The address of the exchange is :

0xc098b2a3aa256d2140208c3de6543aaef5cd3a94, The total inflow is about 1219.96ETH;

4) inflows The address of the exchange is :

0x6262998ced04146fa42253a5c0af90ca02dfd2a3, The total inflow is about 0.99ETH;

4、 Hacker address balance :175913.70 ETH

Chengdu Lianan will continue to pay attention to the follow-up progress of the incident , And further monitor the funds on the chain , If you have the latest news , Will be the first time for you to share .

Safety alert

Axie Infinity Side chain Ronin Under attack , It also gives us a lot of enlightenment , Chengdu Lianan gives the following suggestions for such cross chain bridge projects :

1、 Pay attention to the security of the signature server ;

2、 When the signature service goes offline , The strategy should be updated in a timely manner , Close the corresponding service module , And consider discarding the corresponding signature account address ;

3、 In case of multi sign verification , Multiple sign on services should be logically isolated , Independently verify the signature content , It is not allowed that some verifiers can directly request other verifiers to sign without verification ;

4、 The project party shall monitor the abnormal situation of project funds in real time .

版权声明:本文为[Chengdu Lianan]所创,转载请带上原文链接,感谢。