How did a fake offer steal $540million from "axie infinity"?

original text : A vacation Offer How to steal 「Axie infinity」5.4 Billion dollars ？

Before the official article begins , You can review Axie Infinity  Side chain Ronin Being attacked by hackers , Turn on “ Eat the melon ” preheating .

Extended reading ：2022 The biggest security event of the year ,Ronin A brief analysis of the cross chain bridge attack

The key point of this event is , If five of the nine verifiers approve , The funds can be transferred out . The attacker managed to get 5 Encrypted private key of verifier , This is enough to steal encrypted assets .

How did the attacker get the encrypted private key ？ Now? , About this incident , There are new revelations .

Earlier this year , Hacker deception Axie Infinity   A senior engineer of applied for a job in a fictitious company , Eventually lead to Axie Infinity Suffer 5.4 The loss of US $billion cryptocurrency . Here are The Block Reported hacking Axie Infinity The details of the .

There are few job search experience than Axie Infinity The experience of senior engineers is even more exciting . His interest in joining a fictitious company eventually led to one of the largest hacking attacks in the encryption industry .

last year 11 month ,Axie Infinity In the game NFT   The number of daily active users once reached 270  ten thousand , The weekly trading volume reaches 2.14 Billion dollars （ These two figures have since fallen sharply ）.

And this year 3 month ,P2E Chain swimming faucet Axie Infinity Ethereum side chain Ronin Lost value 5.4 US $100 million cryptocurrency . Although the US government later linked this incident to the North Korean hacker organization Lazarus Connect , But the full details of how the attack was carried out have not been disclosed . Actually destroy Ronin It's just a false job advertisement . Two people familiar with the matter said ,Axie Infinity A senior engineer of was tricked into applying for a position in a company that didn't actually exist . Due to the sensitivity of the event , The two people requested anonymity .

According to a person familiar with the matter , Earlier this year , People claiming to represent this fake company passed LinkedIn and  WhatsApp Hook up Axie Infinity developers Sky Mavis The employees' , Use the new job opportunity to seduce him . According to a source , After several rounds of interviews ,Sky Mavis An engineer of got a very well paid job .

This is false Offer In order to PDF Sent in the form of a file , The engineer downloaded this file —— This allows the Trojan horse to penetrate Ronin In the system . From then on , Hackers can attack and take over Ronin On the Internet 9 In a verifier 4 individual , only 1 Verifiers cannot be fully controlled .

Sky Mavis stay 4 month 27 The hacker attack was analyzed in a blog post released on the th , The article said ：“ Employees are constantly attacked by advanced phishing networks on various social channels , One of the employees was attacked . This employee is no longer Sky Mavis work . The attacker successfully used this access to infiltrate Sky Mavis Of IT infrastructure , And gain access to the verifier node .”

（ How to prevent phishing attacks ： dried food | Phishing site “ intrusion ”Web3, These anti fraud skills must be learned ！）

The verifier can realize various functions in the blockchain , Including creating trading blocks and updating data Oracle .Ronin Using so-called “ Certificate of authorization ”（proof of authority） System to sign the transaction , Concentrate power on 9 In the hands of a trusted verifier .

But through fake job advertisements, it successfully penetrated Ronin After the system , Hackers only control 9 In a verifier 4 individual —— This means that hackers need another to control Ronin System .

In hindsight analysis ,Sky Mavis According to , Hackers successfully used Axie DAO  （ An organization that supports the game ecosystem ） To complete the theft .Sky Mavis I was in 2021 year 11 Monthly request Axie DAO Help deal with transaction load problems .

“Axie DAO allow Sky Mavis Sign various transactions on its behalf . stay 2021 year 12 Monthly suspension , But the allowed access list has not been revoked ,”Sky Mavis In the blog post .“ Once the attacker enters Sky Mavis System , They can start from Axie DAO The verifier gets the signature .”

A month after the hacker invaded ,Sky Mavis Increase the number of validator nodes to 11 individual , And expressed in the blog post , Its long-term goal is to exceed 100  individual .

Three months after being attacked , Chengdu Lianan further monitors the funds on the chain , Find out Ronin Network The attacker's address has almost been transferred out 100% Steal funds .

and Axie Infinity Also in the 6 month 28 Start to return user funds to . Suddenly interrupted when attacked by hackers Ronin The Ethereum bridge of also restarted on .

however Axie Infinity This attack , It also gives us a lot of enlightenment , Chengdu Lianan gives the following suggestions for such cross chain bridge projects :

1、 Pay attention to the security of the signature server ;

2、 When the signature service goes offline , The strategy should be updated in a timely manner , Close the corresponding service module , And consider discarding the corresponding signature account address ;

3、 In case of multi sign verification , Multiple sign on services should be logically isolated , Independently verify the signature content , It is not allowed that some verifiers can directly request other verifiers to sign without verification ;

4、 The project party shall monitor the abnormal situation of project funds in real time .