Multi-Sig Wallet Error Drains Over $600M From Axie's Ronin Network
Cash.Tech Newsletter #23: Understanding multisig wallets and the Ronin network hack
This week, the cryptocurrency industry recorded its largest heist. Over $600,000,000 was stolen from the Ronin Network, an Ethereum-linked side chain powering the popular Axie Infinity game. The theft is largely linked to a horrendous multi-signature wallet error that highlights the need for projects to embrace highly decentralized infrastructure.
This Cash.Tech Newsletter release introduces you to multi-signature wallets and breaks down the Ronin Network hack. We also identify the root cause of the exploit and how Cash.Tech is helping crypto investors secure their assets. Firstly, we have some exciting development updates.
Cash.Tech development update
The Cash.Tech team is happy to report we are approaching the final development stages for the Merchant Protocol. As a recap, the Merchant Protocol is an application that will be made available to merchants worldwide in order to easily accept cryptocurrencies, with an emphasis on $CATE tokens.
So far, we have completed some key features, including the most important one: the inventory/product catalog of products that the merchant sells. The product category itself has been finished as well as the API and the connection to the front-end (the actual merchant app). Merchants can now easily create, add, modify and remove product catalogs and products, all without actually creating an account.
The Cash.Tech team has defined requirements for in-app Merchant Settings and Balance Listing. These functions allow merchants to change their store name and location, as well as view the balances for all cryptocurrencies held by the business. The team has also finished creating the design for the Payment Listing page where merchants can review all payments received from customers.
At this time, the team is developing the API for the actual product payment (by a consumer to a merchant). After the development, we will be able to connect the logic of the payment process to the front-end of the app. When this is completed, the app will be able to accept payments from consumers! We look forward to bringing you further updates about the Merchant Protocol deployment as well as our ongoing application for an Apple Store listing of our latest iOS version.
Understanding multi-signature wallets
Multi-signature (multi-sig) cryptocurrency wallets are wallets that require two or more private keys to sign a transaction before it is approved. These wallets are designed to address the possible loss of crypto theft due to the compromise of a single user.
Some wallets are set up as 3/5 (where three out of five users must sign to approve a transaction) or other variations designed to optimize security. Multisig wallets are a popular option for crypto-companies that hold substantial user funds and require authorization from key personnel’s to approve transactions. Notably, the recent hack of the Ronin Network bridge exploited an error in a decision by developers to underutilize its multi-signature infrastructure.
Breaking down the Ronin Bridge hack
The Ronin Bridge is an infrastructure that allows users to deposit assets from Ethereum to the Ronin network and vice-versa. Funds are locked on the bridge to be used on the receiving end and returned to the user if they choose to bridge back assets. The Ronin network had over $600 million worth of assets locked at the time of the recent exploit. The large figure was the result of an ongoing liquidity mining program that attracted investors to the chain.
According to a post-mortem report, Ronin Network developers set up a 5/9 multi-sig wallet where five out of nine users are required to approve a withdrawal from the bridge. However, the project had entrusted 4 out of 9 signatures to Sky Mavis, the startup behind the Axie Infinity game and the Ronin network. This critical error meant that a compromise of the company's private keys would result in a hacker requiring only one extra signature to drain the millions of dollars locked on the bridge. Hence, the recent exploit saw the hacker obtain the four private key signatures from Sky Mavis via a reported "social engineering" method.
Another costly error by Ronin developers involved leaving one of the network's validators called the AxieDAO on a signature whitelist. This meant that the hacker already had one signature to automatically approve their withdrawal request and only needed the four keys obtained from Sky Mavis to drain the funds. This was exactly what happened, allowing the hacker to steal 25.5 million USDC and 173,600 ETH (worth $600 million at the time). The funds are still being held by the hacker in the address here.
Ronin Network developers remain on the hunt for the hacker, but will imminently address the security vulnerability by expanding its multi-sig validator count from 5/9 to 8/9. This optimal strategy should have been the standard from the beginning and could have helped avert the current crisis.
Secure and spend your crypto riches with Cash.Tech
In the same way that multi-signature wallets are ideal for publicly-owned assets, a secure cryptocurrency wallet with advanced functionalities is one of the best gifts you can give your cryptocurrency portfolio. The Cash.Tech Wallet offers a seamless experience, allowing for self-custodial ownership and access to store, send, and receive your favorite crypto assets (including NFTs).
Cash.Tech is already live on Mainnet for Android and iOS users. Android users can now access the app on Google Playstore, with the iOS version coming to the Apple Store in the coming weeks! Apple Users can access Cash.Tech via https://testflight.apple.com/join/In3h8jr9.