According to Sky Mavis, the creators of the blockchain NFT game Axie Infinity, the Ronin network has been attacked, and a hacker has managed to siphon 173,600 in ethereum and 25.5 million usd coin (USDC). The attacker has obtained roughly $620 million worth of crypto assets, and the Ronin bridge and Katana Dex have been paused.
The Largest NFT Blockchain Game Axie Infinity Suffers From a $620 Million Hack
The largest non-fungible token (NFT) blockchain game, Axie Infinity, has suffered from an attack on Tuesday after the Ronin network validators were compromised. Sky Mavis, the company behind the Axie Infinity project, explained that the validators were compromised as early as March 23.
The funds were drained in two transactions (transaction 1 and transaction 2) and Sky Mavis discovered the attack after a user complained that they could not withdraw 5,000 ether from the Ronin bridge.
” The attacker used hacked personal keys to forge fake withdrawals,” Sky Mavis’s after-mortem statement reveals. Sky Mavis stated that the Ronin bridge has been closed and Katana Dex was stopped. However, she also stated: “We are working closely with law enforcement officials and forensic cryptographers to ensure all funds are recovered and reimbursed.” All AXS, SLP and RON on Ronin are now safe .”
The team explained that Ronin uses nine validator nodes and that five of the nine are required to process transactions.
” The attacker gained control of Sky Mavis’s Ronin Validators as well as a third-party validator operated by Axie DAO,” Sky Mavis stated. The validator key scheme was designed to be distributed so it limits an attack vector. However, the attacker discovered a backdoor through our gas free RPC node. This they used to obtain the signature for Axie DAO validator .
What’s worse is that Sky Mavis notes that the attacker got away with it because of a change made back in November 2021, and they discontinued the “Axie DAO allowlisted” scheme the very next month.
The team stated that the “allowlist access” was not revoked and Sky Mavis said that once the attacker gained access to Sky Mavis systems, they were able “to get the signature of the Axie validator using the gas-free RPC.
We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
The attack against Ronin is one of the largest hacks against a crypto protocol this year, as it surpassed the attack against the Wormhole bridge. That specific attack against the Wormhole bridge saw the loss of $320 million, but the funds were replaced by Jump Crypto. Sky Mavis stated Tuesday that the team was working with law enforcement to “ensure that the criminals get prosecuted .”
.”
The team is currently in discussions with stakeholders to discuss how to ensure users are paid. The team concludes its post mortem by saying that Sky Mavis is here to stay and will continue building.
This story contains tags
$620 million, Attack, Axie DAO, axie infinity, Axie Infinity Exploit, axs, Exploit, Hack, Katana Dex, post mortem, Ronin attack, Ronin Bridge, Ronin chain, Ronin Validator Vulnerability, Ronin Validators, Sky Mavis, stakeholders, Vulnerability, Wormhole bridge
What do you think about Axie Infinity losing $620 million to someone who found a validator exploit? Please comment below to let us know your thoughts on this topic.
Jamie Redman
Jamie Redman, the News Lead at Bitcoin.com News, is a Florida-based financial journalist. Redman has been an active member of the cryptocurrency community since 2011. Redman is passionate about Bitcoin, open-source codes, and decentralized applications. Since September 2015, Redman has written more than 5,000 articles for Bitcoin.com News about the disruptive protocols emerging today.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. This article is not intended to be a solicitation or offer to buy or sell any products or services. Bitcoin.com does not provide investment, tax, legal, or accounting advice. The author and the company are not responsible for any loss or damage resulting from or in connection to the content, goods, or services discussed in this article.
Read More