Pokémon-style NFT battler Axie Infinity was one of the biggest “success” stories in the world of crypto gaming. Now it’s responsible for one of the biggest thefts in the history of the technology. The gaming-focused blockchain Ronin Network announced earlier today that an Axie Infinity exploit allowed a hacker to “drain” roughly $600 million worth of crypto currency from the network.
“There has been a security breach on the Ronin Network,” the company announced on its Substack. “Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions.”
The person responsible allegedly used hacked private keys to order the fraudulent withdrawals. How, you ask? According to Ronin, “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
Basically, the Ronin “side-chain” for games like Axie Infinity uses “9 validator nodes” to prevent fraudulent transactions. However, in November, due to overwhelming demand by new Axie players, Ronin gave special privileges to Sky Mavis, the company behind the game, so it could sign transactions on its behalf.
Released back in 2018, Axie Infinity has exploded in popularity in certain quarters of the internet with the rise of NFTs and market speculation around blockchain gaming and the metaverse. Part critter collectathon, part deck building battle game, Axie Infinity claimed 1.8 million daily users last year, and broke $4 billion in lifetime NFT sales earlier this year. Now it seems to have paid a price for its rapid growth, cutting security corners to rapidly service new users.
“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf,” Ronin writes. “This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.“
Ronin has apparently locked down accounts while it continues its investigation into the hack, meaning no one can get their funds out even as the price of RON, the network’s native token, has reportedly plummeted more than 25%.
Weird how crypto currency networks, championed for their security and decentralization, keep getting burgled. Last August, a hacker made off with over $600 million from the Poly Network, though many of the funds were later returned. In January, hackers withdrew more than $30 million from Crypto.com in what the company initially referred to as a low-key “incident.” Most of those funds were restored as well. It remains to be seen what will happen with the latest massive crypto breach.