According to Sky Mavis, the creators of the blockchain NFT game Axie Infinity, the Ronin network has been attacked, and a hacker has managed to siphon 173,600 in ethereum and 25.5 million usd coin (USDC). The attacker has obtained roughly $620 million worth of crypto assets, and the Ronin bridge and Katana Dex have been paused.
Biggest NFT Blockchain Game Axie Infinity Suffers $620M Hack
The largest non-fungible token (NFT) blockchain game, Axie Infinity, suffered an attack on Tuesday after validators on the Ronin network were compromised. Sky Mavis, the company behind the Axie Infinity project, explained that validators were compromised as early as March 23.
The funds were drained in two transactions (transaction 1 and transaction 2) and Sky Mavis discovered the attack after a user complained that they could not withdraw 5,000 ether from the Ronin bridge.
“The attacker used hacked private keys in order to forge fake withdrawals,” Sky Mavis’ post-mortem statement reveals. While the Ronin Bridge and Katana Dex were arrested, Sky Mavis also said, “We are working with law enforcement officials, forensic cryptographers and our investors to ensure that all funds are recovered or refunded. All AXS, RON and SLP on Ronin are safe at this time.
The team further explained that the project uses nine validator nodes to run Ronin, and in order to deposit or withdraw, five out of nine are needed to process a transaction.
“The attacker managed to take control of Sky Mavis’ four Ronin validators and a third-party validator operated by Axie DAO,” Sky Mavis said. “The validator’s key scheme is configured to be decentralized to limit an attack vector, similar to this, but the attacker found a backdoor through our gasless RPC node, which he abused to gain the signature of the Axie DAO validator.”
What’s worse is that Sky Mavis notes that the attacker got away with it because of a change made back in November 2021, and they discontinued the “Axie DAO allowlisted” scheme the very next month.
However, “access to the allow list has not been revoked,” the team said, and Sky Mavis added that “once the attacker gained access to Sky Mavis systems, he been able to get the signature from the Axie DAO validator using gasless RPC”. Sky Mavis’ autopsy continued:
We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
The attack on Ronin is one of the biggest hacks against a crypto protocol this year, as it surpassed the attack on the Wormhole Bridge. This specific attack on the Wormhole Bridge resulted in the loss of $320 million, but the funds were replaced by Jump Crypto. Sky Mavis explained on Tuesday that the team was working with law enforcement to “ensure criminals are brought to justice”.
Moreover, the team is in the process of discussing with stakeholders and talking about how to make sure users are compensated. “Sky Mavis is here for the long term and will continue to build,” the team’s post mortem concludes.
