Hackers stole more than $625 million worth of cryptocurrency from the famous NFT game Axie Infinity. Ronin along with Axie Infinity operator Sky Mavis discovered that the breaches occurred on Monday. Sky Mavis stopped all transactions through Ronin bridge. Ronin bridge permits the deposit and withdrawal of cash from its blockchain.
Axie Infinity is one of the most popular NFT games which requires players who are new to the game to buy three Axies the game’s inside-game NFT characters. They cost anywhere between a few hundred hundreds of thousands based on their rarity as well as their characteristics. There are also P2E NFT platforms that do not charge upfront costs. That means that you don’t have to spend money to start the games.
Sky Mavis behind the wildly popular Axie Infinity game of crypto said it would reimburse players who were unable to access their funds following the hacker attack that have stolen more than 600 million dollars from a blockchain system that is the basis of the game.
Here’s the official statement from Sky Mavis about hackers stole $600 million worth of cryptocurrency:
“There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.”
More details:
- Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
- The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
- This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allow listed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked.
- Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
- We have confirmed that the signature in the malicious withdrawals matches up with the five suspected validators.
Steps for fixing this case:
- We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short-term damage, we have increased the validator threshold from five to eight.
- We are in touch with security teams at major exchanges and will be reaching out to all in the coming days.
- We are in the process of migrating our nodes, which are completely separated from our old infrastructure.
- We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained.
- We have temporarily disabled Katana DEX due to the inability to arbitrage and deposit more funds to Ronin Network.
- We are working with Chainalysis to monitor the stolen funds.
Sky Mavis working on this case and wants to long-term relationship between users and stakeholders.