In the most startling chain of events, hackers have stolen cryptocurrencies over worth $600 million from an online game, in what is believed to be the largest crypto heist ever. Sky Mavis stated that the Ronin Network, which hosts their Axie Infinity game, was hacked, with hackers taking a total of $620 million in 173,000 Ether and $25.5 million in USDC. This was accomplished by gaining unauthorized access to the Ronin Bridge, which connects Ronin’s blockchain to other cryptocurrencies. Bridges are tools that facilitate the production of synthetic derivatives that replicate assets from a different blockchain.
There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP— Ronin (@Ronin_Network) March 29, 2022
The issue wasn’t identified until Tuesday, when an Axie Infinity user attempted to withdraw 5,000 ETH worth of money from the game but was unable to do so, sparking an investigation. This attack outperforms the $611 million hack of the Poly Network, a decentralized finance platform, in August 2021.
According to the official report, the attacker was able to sign transactions from five of the Ronin network’s nine existing validator nodes, which is the required level for signature approval. The attacker eventually acquired access to Sky Mavis’ four validators as well as one run by Axie DAO. The validator key method is set up to be decentralized to prevent an attack vector like this hack, however, the attacker discovered a backdoor through the gas-free RPC node, which they exploited to get the signature for the Axie DAO validator.
Validator nodes are a characteristic of proof-of-stake blockchains including Ronin, which use less energy than proof-of-work systems like Bitcoin and Ethereum. New transactions are reviewed by the nodes to ensure that their inputs and outputs match and those authorization signatures are genuine, and any transactions that do not comply are denied. Although employing fewer nodes is quicker and more efficient, as the breach demonstrates, if a majority of the nodes are hacked, security issues arise, especially if they are not audited. It’s a possible flaw for blockchains marketed as being less expensive and more environmentally friendly than Ethereum. For instance, Binance Smart Chain, one of the world’s fastest-growing networks, relies on just 21 validators, rendering it vulnerable to external attacks, much like Ronin.
To put things in perspective, Ethereum presently has 222,052 validators working together to protect over 7 million ETH. This means that in order for any verification, voting, or record-keeping procedure to be accepted, a majority of these validators must agree.
The company has stated that it is trying to increase the validator threshold from five to eight in order to minimize future hacks. It was also disclosed that the team was already in contact with major cryptocurrency exchanges and with Chainalysis, in order to notify them when funds are transferred to either of them. The Ronin Bridge has been momentarily suspended at the same time. Binance has also deactivated its Ronin-to-Binance bridge to be on the safe side. The bridge will be unlocked when the company is convinced that no more cash may be drained. Due to the difficulty of arbitrage and transferring additional coins to Ronin Network, Sky Mavis has also temporarily blocked Katana DEX. Meanwhile, members of the crypto community are responding to the news of the breach, with some questioning how the hack went unnoticed for over a week. In addition, the hack prompted a 23% decline in the price of Ron, the token featured in Ronin’s blockchain, as stated by CoinMarketCap. Even AXS, a token used in Axie Infinity, fell 6%.
Axie Infinity co-founder Aleksandr Leonard Larsen promised to compensate consumers. According to him, the theft was facilitated by “a social engineering attack paired with a company error dating back to December 2021.” According to Sky Mavis, the company resorted to using a shortcut in November of last year to relieve an “immense user load” on its network, months after the game skyrocketed in popularity in the Philippines and other nations where players used it as a full-time job. The system was shut down in December, but the whitelist permissions that made it possible were never revoked.
Social engineering is a cyber security phrase that refers to deceiving customer care representatives into giving someone access to their online account.
Mr. Larsen stated that the company is committed to recovering or reimbursing all of the money that has been drained while also consulting with its stakeholders to determine the best course of action.
Axie Infinity is a play-to-earn game in which gamers would mint and collect NFT-based creatures that are similar to animated monsters in the Pokémon universe. Breeding, battling, and expanding their army with these creatures known as Axies can earn them in-game tokens. DappRadar, a blockchain sales tracking company, said in October 2021 that over 615,000 traders had bought or sold Axie Infinity NFTs in 4.88 million transactions, with an average sale price of $420. It surpassed the $4 billion milestone in lifetime NFT sales in February.
Last year, Sky Mavis, collected $152 million from investors like a16z, FTX bitcoin exchange, and Samsung Next, increasing its worth to $3 billion.
Typically, Ethereum is used for the majority of the game’s transactions. However, due to the high costs associated with ETH, doing multiple transactions each day is highly expensive. This made Axie Infinity’s developers unveil Layer 2 solution Ronin, an Ethereum-based chain that permitted 100 free transactions each day, in February 2021. Transactions on that network can be completed far faster, for less money, and with less environmental effect than transactions on Ethereum. This resulted in massive growth, with the game’s community reaching 2.9 million members by the year-end.
While Sky Mavis was setting up a network of computer nodes to authenticate transactions on its Ronin Network, it saw that if hackers could take 51 percent control of the network, they could make fraudulent transactions and steal assets.
PeckShield, a cybersecurity firm specializing in blockchain technology, has released a flowchart illustrating where the funds were transferred. The hacker moved cryptocurrency stolen from Ronin Bridge to a number of unidentified cryptographic addresses.
While the attacker’s primary wallet “0x098B716B8Aaf21512996dC57EB0615e2383E2f96” still holds the majority of the crypto assets, they transmitted 1,220 ETH to FTX, 1 ETH to Crypto.com, and 3,750 ETH to Huobi. The hacker was converting USDC 25.5 million into ETH too. They began moving funds to several addresses on March 28 of this year. Huobi and Binance, two major trading exchanges, have reported that they will help Axie Infinity by looking out for any suspicious asset transactions.
Huobi will fully support @AxieInfinity as it deals with the aftermath of the attack and theft on its Ronin chain. Any stolen crypto assets that have been discovered to have traversed our exchange and related networks will be dealt with expediently.— Huobi (@HuobiGlobal) March 29, 2022
Our team is in touch with AxieInfinity team providing assistance in tracking this issue. https://t.co/pNU4wwrCAq— CZ 🔶 Binance (@cz_binance) March 29, 2022
The Ronin hack comes after a February attack on the Wormhole bridge, which resulted in more than $300 million in damages that were paid by Jump Crypto, one of Wormhole’s sponsors.