Hackers have stolen more than $600 million in cryptocurrencies from a gaming-focused blockchain in a heist described as “one of the bigger hacks in history.”
The hackers made off with millions of dollars worth of Ethereum and USD Coin from Ronin, the blockchain underlying the popular crypto game Axie Infinity, developed by Vietnamese studio Sky Mavis.
Ronin said it is working with law enforcement officials, forensic cryptographers, and investors to recover or reimburse all of the stolen funds, and added that “all of the AXS, RON, and SLP on Ronin are safe right now,” referring to other tokens used in the game.
According to Ronin’s March 29 blog post, the validator nodes for Sky Mavis—the operator of Ronin and Axie Infinity—and for Axie DAO (a decentralized autonomous organization) were compromised on March 23.
Ronin said the attacker used “hacked private keys in order to forge fake withdrawals” and that Ronin discovered the attack the morning of March 29 after a user reported being unable to withdraw Ethereum funds from the bridge, which connects Axie Infinity to other blockchains such as Ethereum.
Sky Mavis’ Ronin chain has nine validator nodes, Ronin stated.
“In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO,” Ronin said.
While the nine validator nodes are set up to be decentralized to limit such attacks, Ronin said the attacker “found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
The Ronin bridge and Katana Dex, the Ronin decentralized exchange, have also been halted as a security measure as investigations continue.
Ronin noted that the attack was in part made possible due to an action the company took in November 2021, when “Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load.”
“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked,” the company said.
Ronin is currently in discussions with Axie Infinity and Sky Mavis stakeholders regarding the next steps and how to “ensure no users’ funds are lost.”