A cryptocurrency affiliated with the popular free-to-play blockchain game Axie Infinity has been hacked in one of the largest crypto heists in history.
The Ronin network is a blockchain launched in February 2021 to make interacting with the Ethereum-based Axie Infinity a little less costly. Whereas doing anything at all on Ethereum costs fees, Ronin allows 100 free transactions per day, per user. Axie Infinity is popular in the Philippines, for example, where users work playing the game in exchange for tokens, often on behalf of individuals or firms that may employ dozens or hundreds of so-called “scholars.”
In a blog post published on Tuesday, Ronin revealed it had fallen victim to a security breach that has drained half a billion dollars in crypto.
Hackers were able to exploit the Ronin bridge and make off with 173,600 ETH (worth about $591,242,019) and $25.5 million worth of the stablecoin USDC in two separate transactions by taking over the blockchain's validator nodes. Validator nodes verify and approve transactions in Ronin’s Proof-of-Authority (PoA) model, which differs from the decentralized mining and approval process employed by Bitcoin. Ronin has nine validator nodes, five of which were needed to approve any particular deposit or withdrawal.
According to the blog, the hackers “used hacked private keys in order to forge fake withdrawals.” The attackers found a backdoor in the gas-free RPC node run by Sky Mavis―the company that owns Axie Infinity―allowing them to gain control over a validator node linked to the Axie DAO after it helped Sky Mavis distribute free transactions in November 2021 during an overload of users, according to the Ronin blog post. With Axie DAO’s validator node and the four controlled by Sky Mavis, the attackers were able to approve the two transactions.
Going forward, the company will up the threshold for validator node consensus to eight out of nine as well as eventually increasing the number of validators as well. Sky Mavis is also working with Chainalysis, security teams at major changes, and "law enforcement officials, forensic cryptographers, and our investors" to recover funds or reimburse them. The Ronin bridge as well as the decentralized exchange connected to it (Katana DEX) have both been deactivated for now.
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the Ronin team said in the blog post. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”
“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now,” the blog states.
This isn’t likely to be the last of Sky Mavis’ woes. For the past few months, Axie Infinity has been struggling as its tokens and NFTs have fallen dramatically in price, strangling the in-game economy and forcing drastic changes in a desperate bid to prevent a collapse.