Sky Mavis, creator of Axie Infinity blockchain NFT gaming, claims the Ronin network is under attack and that a hacker was able to siphon off 173,600 USD in ethereum (USDC) and 25.5 millions USD coin (USDC). An attacker has obtained approximately $620 million in crypto assets. Katana Dex and Ronin Bridge have been temporarily halted.
Axie Infinity, the Largest NFT-Based Blockchain Game is a $620 million Hack
Axie Infinity (the largest blockchain-based non-fungible token) game has been the victim of an attack Tuesday, after Ronin network validateators were compromised. Sky Mavis (the company behind Axie Infinity) explained that validators were compromised back in March.
Sky Mavis found the attacks after an anonymous user reported that they couldn’t withdraw 5,000 Ethereum from the Ronin bridge.
“The attacker used hacked private keys in order to forge fake withdrawals,” Sky Mavis’s post mortem statement discloses. While the Ronin bridge and Katana Dex has been halted, Sky Mavis also said: “We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.”
Further, the team explained that Ronin uses nine validator nosdes, which means five of those nine nodes are required to complete a transaction.
“The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” Sky Mavis said. “The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
What’s worse is that Sky Mavis notes that the attacker got away with it because of a change made back in November 2021, and they discontinued the “Axie DAO allowlisted” scheme the very next month.
However, the “allowlist access was not revoked” the team said, and Sky Mavis added that “once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.” Sky Mavis’s post mortem continued:
We confirmed that the signed malicious withdrawals matches up to the five suspect validators.
As it outperformed the Wormhole Bridge attack, the attack on Ronin was one of the most significant hacks this year against crypto protocols. Jump Crypto was able to replace the money from the $320m loss caused by the Wormhole Bridge attack. Sky Mavis explained on Tuesday that the team is working with law enforcement in order to “ensure the criminals get brought to justice.”
The team has been in touch with stakeholders to discuss how users can be compensated. “Sky Mavis is here for the long term and will continue to build,” the team’s post mortem concludes.
How do you feel about Axie Infinity’s $620 million loss to someone who discovered a validator exploit Comment below and let us know how you feel about the subject.
Images CreditsShutterstock. Pixabay. Wiki Commons
DisclaimerThis information is provided for educational purposes only. This article is not intended to be a solicitation or offer to sell or buy any product, service, or company. Bitcoin.com is not a provider of investment, tax, legal or accounting advice. This article does not contain any information, products, or advice that can be used to cause or imply loss.