Hackers have stolen more than $600 million in cryptocurrencies from a gaming-focused blockchain in a heist described as “one of the bigger hacks in history.”
The hackers made off with millions of dollars worth of Ethereum and USD Coin from Ronin, the blockchain underlying the popular crypto game Axie Infinity, developed by Vietnamese studio Sky Mavis.
According to its website, Axie Infinity uses “cutting edge technology called Blockchain to reward players for their engagement” and the fully player-owned economy allows players to “seamlessly sell and trade their game assets for digital currency.”
Axie Infinity’s Ronin network said in a blog post on March 29 that it lost 173,600 ethers (Ethereum tokens), which are worth about $589 million, and $25.5 million of USD coin, which is considered a “stablecoin” and is pegged to the U.S. dollar.
Blockchain data platform Chainalysis is tracking the funds on Ronin’s behalf.
Ronin said it is working with law enforcement officials, forensic cryptographers, and investors to recover or reimburse all of the stolen funds, and added that “all of the AXS, RON, and SLP on Ronin are safe right now,” referring to other tokens used in the game.
According to Ronin’s March 29 blog post, the validator nodes for Sky Mavis—the operator of Ronin and Axie Infinity—and for Axie DAO (a decentralized autonomous organization) were compromised on March 23.
Ronin said the attacker used “hacked private keys in order to forge fake withdrawals” and that Ronin discovered the attack the morning of March 29 after a user reported being unable to withdraw Ethereum funds from the bridge, which connects Axie Infinity to other blockchains such as Ethereum.
Sky Mavis’ Ronin chain has nine validator nodes, Ronin stated.
“In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO,” Ronin said.
While the nine validator nodes are set up to be decentralized to limit such attacks, Ronin said the attacker “found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
The Ronin bridge and Katana Dex, the Ronin decentralized exchange, have also been halted as a security measure as investigations continue.
Ronin noted that the attack was in part made possible due to an action the company took in November 2021, when “Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load.”
“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked,” the company said.
Ronin is currently in discussions with Axie Infinity and Sky Mavis stakeholders regarding the next steps and how to “ensure no users’ funds are lost.”
During a keynote address at the NFT LA conference in Los Angeles on March 29, Axie Infinity co-founder Jeff Zirlin said “it is one of the bigger hacks in history,” CNN reported.
The amount stolen in the latest attack is similar to that taken in August 2021 in a major hack on decentralized finance platform Poly Network, which at the time was one of the biggest ever digital coin heists. The hacker later returned the stolen funds.