Hackers have stolen $622 million from the ‘Ronin’ blockchain network that powers the popular NFT-based online game, Axie Infinity.
Developed by Vietnamese studio Sky Mavis, Axie Infinity allows players to collect and mint NFTs to claim ownership of axolotl-inspired virtual pets called “Axies.”
As reported by Fortune, the perpetrators targeted the Ronin Network and walked away with 173,600 Ethereum (ETH) and 25.5 million USD Coins (USDC), which combined are worth hundreds of millions.
Ronin confirmed the breach in a post on social media and said it’s “working with law enforcement officials, forensic cryptographers, and our investors to make sure that all funds are recovered or reimbursed.”
Outlining how the theft took place, Ronin said the attacker used hacked private keys in order to forge fake withdrawals and was made aware of the breach after a user reported being unable to withdraw 5,000 ETH.
“Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” reads the Ronin statement.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
“This traces back to November 2021 when the Axie DAO validator was allowlisted to distribute free transactions. This was discontinued in December 2021, but the Axie DAO validator IP was still on the allowlist. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
“We have confirmed that the signature in the malicious withdrawals matches up with the five suspected validators.”
In response, Ronin said it “moved swiftly to address the incident” and is currently taking steps to guard against future attacks. To prevent further short term damage, the company is increased the validator threshold from five to eight, and has also temporarily paused the Ronin Bridge — which enables transactions — to ensure no attack vectors remain open.
You can learn more about the breach by checking out the Ronin Newsletter.