Axie Infinity Hacked For $625 Million, But No One Notices

1648679116633 0fe44c60 22cd 4a8f ac19 aff756e61848

A quick Google search tells me that the largest bank robbery in history took place in Baghdad, Iraq, where $282 million was stolen. It is suspected that it was an inside job, orchestrated by several bank guards. Meanwhile, the average bank robbery in America costs $6,500.

It’s easy to lose perspective when reading about these massive amounts of money in crypto. But against the real-world numbers above, it really stands out how big the latest hack in crypto is.

Axie Infinity is a blockchain-based trading and fighting game in which players can breed, raise and trade token-based creatures called Axies. It is one of the biggest success stories in crypto gaming; with a market cap of $3.9 billion, it is in the top 50 cryptos.

Last week, Axie was hacked for $625 million. And nobody noticed.

Goodbye $625 million

It was revealed yesterday that $625 million has been stolen from Ronin, the blockchain underlying Axie. While the stolen money was revealed in a statement on substack, the hack took place six days earlier. “There has been a security breach,” the statement begins. Yes, there is for sure.

The Ronin Bridge, which facilitates depositing and withdrawal, was exploited for 173,600 ETH (nearly $600 million) and $25.5 million from the USDC stablecoin. Importantly, Sky Mavis confirmed that the Axie NFT tokens (used to enter the Axie Infinity game), as well as the in-game currencies AXS and ALP, were safe. But it is a staggering case of negligence regarding the safekeeping of investor funds.

We spoke to Ahmad Duais, CEO of Battle Drones, an earning game on the Solana blockchain, to get some thoughts from the industry. He said: “Bridges are still an area of ​​development. The GameFi model is such a revolution that in the near future we will all look back on it as a learning curve similar to the hacks that have taken place at the beginning of any innovation.” .”

How?

Sky Mavis, who runs both Axie Infinity and Ronin, stated that “the attacker used hacked private keys to fake recordings”. The attack was only discovered yesterday when a user was unable to withdraw 5,000 ETH ($17 million) from the bridge. The hacker had previously made two fake recordings.

In other words, a flaw in Sky Mavis’s code allowed the hacker to take control of Sky Mavis’ validators, who along with third-party validators gave the hacker the freedom to empty the treasury to the tune of more than $ 600 million. Not only did the developers of Sky Mavis drop the ball on the code, it took them almost a week to notice that they had a $600 million hole in their balance sheets.

Funds

It is the second largest crypto hack of all time, just after the Poly Network hack last summer, although that money was returned by the hacker. In this case, Ronin confirmed that they are “working with law enforcement officers, forensic cryptographers and our investors to ensure that all funds are recovered or refunded”. Whether they succeed or not, however, is an entirely different story; as of now, all players who deposited money into Ronin have lost everything.

Ethscan shows the location of the funds

Blockchain is bockchain, but the location of the money can be seen at this point – with all $600 million worth of ETH nestled comfortably in the above wallet on the Ethereum blockchain.

The blockchain also makes it possible to enter messages as part of transactions. If you dig through the hacker’s wallet, you can see that several investors who lost their money have desperately tried to appeal to every human side that may exist in the hacker’s mind.

A victim yells at the hacker on ethscan

It’s also a stark reminder that, for all the progress DeFi has made, it remains a nascent industry laced with risk. It goes to exciting places, but the journey can be rocky at times, as for any new industry. This week we saw over 600 million examples of this.

Leave a Reply

Your email address will not be published.