According to Sky Mavis, makers of the blockchain NFT game Axie Infinity, the Ronin network has been attacked and a hacker has managed to transfer 173,600 in ether and 25.5 million usd coins (USDC). The attacker has acquired approximately $620 million in crypto assets and the Ronin Bridge and Katana Dex are on hiatus.
The Biggest NFT Blockchain Game Axie Infinity Suffers a $620 Million Hack
The largest non-fungible token (NFT) blockchain game, Axie Infinity, suffered an attack on Tuesday after its Ronin network validators were compromised. Sky Mavis, the company behind the Axie Infinity project, explained that the validators had already been compromised on March 23.
The money was used up in two transactions (transaction 1 and transaction 2) and Sky Mavis discovered the attack after a user complained that they were unable to withdraw 5,000 ether from the Ronin bridge.
“The attacker used hacked private keys to falsify fake recordings,” Sky Mavis’s post-mortem statement reveals. While the Ronin Bridge and Katana Dex have been shut down, Sky Mavis also said: “We are working with law enforcement, forensic cryptographers and our investors to ensure that all funds are recovered or refunded. All AXS, RON and SLP on Ronin are now safe.”
The team further explained that the project uses nine validator nodes to run Ronin, and to deposit or withdraw, five of the nine are needed to process a transaction.
“The attacker managed to take control of the four Ronin Validators from Sky Mavis and an external validator from Axie DAO,” said Sky Mavis. “The validator key scheme was set up to be decentralized so it limits an attack vector similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they exploited to get the signature for the Axie DAO validator. †
What’s worse, Sky Mavis notes that the attacker got away with it due to a change that was made in November 2021, and that they withdrew the “Axie DAO admission list” the following month.
However, the “access to the admission list was not revoked,” the team said, with Sky Mavis adding that “once the attacker gained access to Sky Mavis systems, they could get the signature of the Axie DAO validator by the gas-free RPC.” to use.” Sky Mavis’ post mortem continued:
We have confirmed that the signature in the malicious recordings matches the five suspected validators.
The attack on Ronin is one of the biggest hacks against a crypto protocol this year, as it surpassed the attack on the Wormhole Bridge. That particular attack on the Wormhole Bridge resulted in a loss of $320 million, but the funds were replaced by Jump Crypto. Sky Mavis explained on Tuesday that the team is working with law enforcement to “make sure the criminals are brought to justice”.
In addition, the team is in discussion with stakeholders and how to ensure that users are compensated. “Sky Mavis is here for the long haul and will continue to build,” the team concluded after the death.
Tags in this story
$620 million, Attack, Axie DAO, axie infinity, Axie Infinity Exploit, axs, Exploit, Hack, Katana Dex, post mortem, Ronin attack, Ronin Bridge, Ronin chain, Ronin Validator Vulnerability, Ronin Validators, Sky Mavis, stakeholders, Vulnerability, Wormhole Bridge
How do you feel about Axie Infinity losing $620 million to someone who found a validator exploit? Let us know what you think about this topic in the comments section below.
Jamie Redman is the news leader at Bitcoin.com News and a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open source code and decentralized applications. Since September 2015, Redman has written more than 5,000 articles for Bitcoin.com News about the disruptive protocols emerging today.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services or companies. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on the content, goods or services mentioned in this article.