Axie Infinity’s Ronin Bridge Hacked For $625M Exploit

The largest and latest crypto hack has targeted a gaming-focused blockchain network that supports the popular video game Axie Infinity.

According to gaming-focused Ronin Network, the Ronin bridge and Katana Dex have been halted after suffering an exploit for 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC), worth in excess of US$625 million combined.

The exploit affected Ronin Network validator nodes for Sky Mavis, the developer of Axie Infinity and Ronin ecosystems.

How?

Million-dollar question – how did the transgressor pull off one of the biggest thefts in DeFi history?

According to a blog post published by the Ronin Network’s official Substack, the attacker used hacked private keys in order to forge fake withdrawals, draining the funds from the Ronin bridge in just two transactions. While the Ronin sidechain has nine validators requiring five signatures for withdrawals and is meant to protect against these types of attacks, the blog post notes that “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
NFT-based battler

Background:

Last November, Sky Mavis requested help from the Axie DAO to distribute free transactions due to a surge in the number of users. The Axie DAO then whitelisted Sky Mavis to sign various transactions on its behalf, and the process was discontinued in December. However, access to the whitelist was not revoked. Once the attacker obtained access to Sky Mavis systems, they acquired the final signature from the Axie DAO validator, thereby completing the node threshold required for the siphoning of funds.

Latest Updates:

The majority of the funds remain in the attacker’s address, though 6,250 ETH has been transferred to various other addresses.

Ronin Network is currently in the process of conducting a thorough investigation; working with Chainalysis to monitor the stolen funds and Crowdstrike to handle forensics and the setup of surveillance tools. At this point they are certain that this was an external breach; “All evidence points to this attack being socially engineered, rather than a technical flaw.”

“We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action,”

The Ronin Bridge and the Katana automated market maker (AMM) have both been paused while investigations are ongoing.

About Axie Infinity

Axie Infinity claimed 1.8 million daily users last year, and broke $4 billion in lifetime NFT sales earlier this year. One of the biggest success stories of crypto gaming, Axie Infinity is widely known as a play-to-earn game, although the barriers to entry can be quite high. The NFT-based battler is similar to Pokémon in that players build teams of Axies and use them to battle other players, and each Axie is a unique tradable NFT.

Axie Infinity is widely known as a play-to-earn game, although the barriers to entry can be quite high. To even begin playing, new players need at least three Axies, which would cost over $1,000 to acquire. PPlayers earn smooth love potion (SLP) tokens as rewards, which can then be redeemed for in-game features such as breeding new Axies. The lucrative earnings from SLP have created a so-called ‘economy’ over the past two years and has even become the main source of income for some communities in the Philippines.