Axie Infinity Falls Victim to Hack on Its Ronin Network, $625 Million Stolen

Acclaimed NFT game Axie Infinity became the latest victim of a hack which led to the loss of around $625 million worth of cryptocurrency from its Ethereum sidechain Ronin. On Tuesday, Axie Infinity developer and operator Sky Mavis reported that the hack was conducted on March 23, but evidence of the activity was only found fairly recently after a user attempted to withdraw 5,000 ETH from Ronin.

The hacker was able to siphon 173,600 Wrapped Ethereum (WETH) and 25.5 million in USDC Stablecoin — close to $597 million and $25.5 million, respectively — after utilizing “hacked private keys” to forge transactions. However, most of the funds that were taken are currently still in the hacker’s wallet. Transactions on the Ronin network have since been frozen.

The Ronin network serves as an intermediary between the prominent game and other blockchains where users can deposit Ethereum or USDC to purchase in-game currency and NFTs. It also allows the selling of in-game assets, hence, users can likewise withdraw money from the network.

There are currently nine network nodes on the Ronin blockchain, five of which were compromised — four operated by Sky Mavis and one operated by Axie DAO — which is the threshold for validating transactions on the Ronin blockchain. “The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” stated the report.

“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load,” added the report, noting that this was when the game experienced a massive influx of players following its popularity in the Philippines and other countries. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”

A similar tactic was utilized just last month after $322 million was stolen from Wormhole — a bridge between Ethereum and Solana. Jeff Zirlin, Axie Infinity co-founder, regarded the incident to be “one of the bigger hacks in history.” Zirlin affirmed, however, that “there’s a chance that they can be identified and brought to justice,” since some of the stolen funds have already been transferred from the hacker’s wallet to other exchanges.

In an effort to tighten its security, Sky Mavis has asserted that it will increase the required number of nodes from five to eight before validating transactions. The Ronin bridge is also expected to reopen “at a later date.” For now, the company assured that the remaining funds — including Axie Infinity (AXS), Smooth Love Potion (SLP), and Ronin’s governance token RON — on the network are currently safe.

Sky Mavis has already requested the support of law enforcement, Chainalysis forensic cryptographers, and even its own investors to address the issue. “As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” it announced. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”

Sources: Decrypt, The Verge