Axie Infinity NFT Game Hacked for Over $600 Million in Cryptocurrency
Unknown hackers have set a new record in the world of cryptocurrency theft by stealing over $600 million (173,600 ETH) from the NFT game Axie Infinity. According to the company, the attack was the result of social engineering rather than a technical vulnerability.
What Is Axie Infinity?
Axie Infinity is a decentralized game developed by the Vietnamese studio Sky Mavis. The game allows users to breed, sell, and collect digital pets, with its trading volume exceeding a billion dollars annually. Previously, Axie Infinity became a phenomenon in the Philippines, where thousands of users have been earning significant income through the game.
The Ronin Blockchain and the Attack
In February 2021, the Ronin blockchain was launched to make interactions with Axie Infinity, which is based on Ethereum, more affordable. While transactions on Ethereum require high fees, Ronin allows each user to make up to 100 free transactions per day.
This week, a post on the Ronin blog reported that the project had fallen victim to a cyberattack. Using just two transactions, the attackers managed to steal approximately $600 million: 173,600 ETH (worth about $591,242,019) and $25.5 million in the stablecoin USDC.
The developers explained that the attack actually occurred on March 23, 2022, but it was only discovered later when users noticed they could not withdraw funds. The attack involved compromising validator nodes of Sky Mavis Ronin and Axie DAO, allowing the hacker to exploit the Ronin bridge.
How the Hack Happened
The Ronin sidechain has a total of nine validator nodes, with five required to approve any deposit or withdrawal. During the attack, four Sky Mavis validators and one Axie DAO validator were compromised.
“The attacker used hacked private keys to forge withdrawals. We discovered the attack only this morning after a user reported being unable to withdraw 5,000 ETH,” the company explained.
The blog post states that the attackers found a backdoor in the gas-free RPC node managed by Sky Mavis, which allowed them to gain control over the Axie DAO node. Back in November 2021, Axie DAO developers had allowed Sky Mavis to sign various transactions on their behalf to handle the rapidly growing number of transactions. Although this practice was stopped in December, “access to the whitelist was not revoked.”
Response and Next Steps
Currently, Sky Mavis has temporarily disabled the Ronin cross-chain bridge and the related decentralized exchange Katana DEX. The developers assure users that there is no need to worry, as RON and the in-game tokens SLP and AXS on the Ronin sidechain are safe.
Law enforcement agencies, as well as experts from Chainalysis and Crowdstrike, are already investigating the incident. The company says the stolen funds are “still in the hacker’s wallet,” although users have noticed that some funds have already been moved to the Binance exchange.
In the future, the developers promise to improve the project’s security, specifically by increasing the number of validator nodes required for validation to eight out of nine, and eventually increasing the total number of validators.