The Ronin Network, a blockchain system that runs Sky Mavis’ popular NFT game Axie Infinity, has been hacked, with about $625 million worth of funds stolen in a massive theft.
The Ronin bridge was “exploited” for 173,600 Ethereum and 25.5M USDC, the Ronin Network announced in a blog post, adding that the bridge and the Katana Dex have now been halted as a result. The Ronin Network said it’s actively working with law enforcement, as well as forensic cryptographers and its own investors to ensure that “all funds and recovered or reimbursed.”
In the announcement, the Ronin Network said it discovered today (March 29) that the validator nodes on the Ronin validator for Sky Mavis and the Axie DAO nodes were compromised on March 23, leading to the theft. Two transactions took place, with the hacker using “private keys” to create fake withdrawals, the company said. “We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,” Ronin Network said.
Ronin Network explained that the only way to deposit or withdraw funds from the Ronin chain is to obtain five out of nine validator signatures. The attacking party gained access to four validators from Ronin and one from a third-party run by Axie DAO, Ronin Network said.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator ,” it said. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”
The statement continues: “Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.”
Ronin Network said it “moved swiftly” to address the incident and is now taking steps to make sure it doesn’t happen again. In the short term, Ronin Network said deposits and withdrawals now require eight validations instead of five.
“We are working directly with various government agencies to ensure the criminals get brought to justice,” the company said. “We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost.”
According to Ronin Network, it has determined that “most” of the stolen funds remain in the hacking party’s wallet. The company also clarified that users are currently unable to withdraw or deposit any funds on Ronin Network for the time being.
Axie Infinity is an NFT-based game from developer Sky Mavis that is one of the most popular examples of a blockchain-based video game. It is a gigantic money-maker, with its developer claiming $4 billion from NFT sales, although what percentage of that involves the same players trading back and forth with each other is unclear.