Axie Infinity under severe loss
Ronin, the blockchain that underpins the famous crypto game Axie Infinity, has had $625 million worth of cryptocurrency stolen. Sky Mavis, the CEO of Ronin and Axie Infinity, announced the hack on Tuesday and halted all transactions on the Ronin bridge, which allows users to deposit and withdraw funds from the company’s blockchain.
Sky Mavis claims it’s collaborating with law authorities to recover 173,600 Ethereum (now valued at over $600 million) and 25.5 million USDC (a cryptocurrency tied to the US dollar) from the perpetrator, who removed the funds of the network on March 23rd. The hack targeted Sky Mavis’ Ronin network, which acts as a middleman between Axie Infinity and other cryptocurrency blockchains such as Ethereum.
Axie Infinity private security keys exposed
According to Sky Mavis, an attacker compromised the network nodes that validate transactions to and from the Ronin blockchain by using pirated private security keys. As a result, the attacker was able to withdraw substantial amounts of Ethereum and USDC in a stealthy manner. Another user attempted to withdraw 5,000 Ethereum using the bridge today, nearly a week after the transfer was found.
“AS WE HAVE SEEN, RONIN IS NOT IMPOSSIBLE TO EXPLOITATION.”
Sky Mavis claims that neither the “axie” NFT tokens required to enter Axie Infinity nor the SLP and AXS in-game cryptocurrencies used to battle and breed the pokémon-like cartoon axolotls have been hacked. However, the suspension of withdrawals and deposits effectively excludes many new players, and the attack raises questions about the status of other user cash on the Ronin blockchain. Sky Mavis says it’s “working with law enforcement officials, forensic cryptographers, and our investors to ensure there is no loss of user funds,” and that it’s a “high priority” for the company.
How do Validator nodes work?
Proof-of-stake blockchains, such as Ronin, have validator nodes that are less energy-intensive than proof-of-work systems like Bitcoin and Ethereum. New transactions are reviewed by the nodes to ensure that their inputs and outputs match and that authorization signature are genuine, and any transactions that do not conform are rejected. Using fewer nodes is faster and more efficient, but as the breach demonstrates, if a majority of the nodes are compromised, security issues arise. It’s a possible flaw for blockchains that are marketed as being less expensive and more environmentally friendly than Ethereum.
Axie Infinity blockchain hacker attack
The Ronin attack, according to Sky Mavis, was made possible in part by a shortcut taken by the company in November of last year to relieve an “immense user load” on its network, months after the game exploded in popularity in the Philippines and other countries where players relied on it as a full-time job. The system was shut down in December, but the rights that made it possible were never taken away. The attacker compromised four of Sky Mavis’ own nodes in addition to gaining access to one controlled by the community-owned Axie DAO. The attacker could easily override any transaction security and withdraw any funds they wanted after compromising five of the nine validator nodes.
Sky Mavis says the required number of nodes for transactions will be increased to eight, and the Ronin bridge will be reopened “at a later date” once it is satisfied that no more funds may be drained. For the time being, the Ronin hack appears to be the greatest “decentralized finance” network heist to date, following a $322 million stolen from the Wormhole bridge protocol last month.