Axie Infinity dedicated sidechain, the Ronin Network, suffered an exploit of 173,600 Ether and 25.5M USDC. This brings the total exploit of the top play-to-earn platform attached to the Ethereum blockchain to approximately $617 million as of the time of this writing.
To put this figure into perspective, in 2021, according to data from The Block research, the Decentralized Finance (DeFi) space lost a little over $610 million to exploits. $355 million, representing 58.20%, was lost using flash loan attacks while the rest ($255 million, representing 41.80%) was lost using other forms of methods, like exploiting a bug in a given protocol.
This attack makes it the largest in the entire cryptocurrency space. It surpassed the amount lost in the Poly Network hack, which totalled $611 million. Although the Poly Network hacker returned the funds stolen, it is still unclear whether or not the Ronin team will be able to recover the stolen funds.
What you should know
- Sky Mavis is the company behind the Axie Infinity game and the Ronin sidechain. It is led by Trung Nguyen as the CEO of the company.
- In a statement, the Ronin team said they are “currently working with law enforcement officials, forensic cryptographers and our investors to make sure that all funds are recovered or reimbursed. All of the AXS, RON and SLP [tokens] on Ronin are safe right now.”
- According to the team, the attacker used hacked private keys in order to forge fake withdrawals on the platform.
- The team explained that they discovered the attack in the early hours of the day, after a report from a user who was unable to withdraw 5,000 ETH ($17 million) from the bridge.
- The Ronin chain currently consists of 9 validator nodes. In order to recognize a deposit or a withdrawal on the chain, five out of the nine validator signatures are needed. The attacker was able to hack and get control over Sky Mavis’s four Ronin Validators and a third-party validator ran by Axie DAO.
- According to the report, the validator key scheme is set up to be decentralized so that it limits an attack vector, similar to the one being experienced by the network.
- However, the attacker found a backdoor through the network’s gas-free RPC (Remote Procedure Call) node, which they abused to get the signature for the Axie DAO validator.
- The team explained that the hack traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load.
- The Axie DAO allowlist Sky Mavis to sign various transactions on its behalf. Although this was discontinued in December 2021, the allowlist access was not revoked.
- When the attacker got access to Sky Mavis systems, they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
- The team confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
- The team stated it began immediately to address the incident once it became known and is, “actively taking steps to guard against future attacks. To prevent further short-term damage, we have increased the validator threshold from five to eight.”
- The team stated that they are in touch with security teams at major exchanges and will be reaching out to all in the coming days. They also stated that they are in the process of migrating their nodes, which is completely separated from their old infrastructure.
- They have also taken a further step to temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. It further stated, “Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained.”
- They also have temporarily disabled the Katana DEX due to the inability to arbitrage and deposit more funds to Ronin Network. They concluded stating that they are working with Chainalysis and various government agencies to monitor the stolen funds and ensure the criminals get brought to justice.
As of the time of this writing, a majority of the funds, worth $604.8 million is still left in the hacker’s wallet, although 6,250 ETH ($21.3 million) has been transferred to various other addresses.
The price of RON, the native token of the Ronin network, is down 27% on the news, according to CoinGecko. While the price of AXS, the native token of the Axie Infinity network is also down 9.28% as of the time of this writing, according to CoinMarketCap.