Hacker Drains $622M From Axie Infinity’s Ronin Ethereum Sidechain

In brief

  • Ronin, the Ethereum sidechain for NFT game Axie Infinity, has been hit with a sizable exploit.
  • All told, some $622 million worth of Ethereum and USDC were drained from the bridge that connects Ronin to Ethereum’s mainnet.

Ronin, an Ethereum sidechain developed for the hit NFT game Axie Infinity, has been targeted in a hack that saw an estimated $625 million worth of cryptocurrency drained from its bridge.

Developer Sky Mavis announced the news today, writing that the exploit took place on March 23 but only discovered earlier today. The attacker used “hacked private keys” to execute the exploit, per the team’s report, and thus was able to forge transactions to claim the funds.

All told, the attacker took 173,600 WETH or Wrapped Ethereum (nearly $597 million) and 25.5 million USDC stablecoin ($25.5 million), adding up to about $622 million worth of crypto funds as of this writing. Most of the stolen funds are still sitting in the hacker’s wallet.

According to the report, the attacker was able to sign transactions from five of the nine current validator nodes on the Ronin network, which is the threshold needed to approve signatures. Ultimately, the attacker gained access to Sky Mavis’ own four validators, along with one operated by Axie DAO.

“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the report reads.

“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load,” it continues. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”

Sky Mavis said that it has tapped law enforcement, forensic cryptographers at Chainalysis, and its own investors to “make sure all funds are recovered or reimbursed.”

During an onstage interview at the NFT LA conference today, Axie Infinity co-founder Jeff Zirlin described it as “one of the bigger hacks in history.” Some of the drained funds have already been sent from the attacker’s wallet to exchanges, and Zirlin said that “there’s a chance that they can be identified and brought to justice.”

As a result of the security breach, Sky Mavis has halted the bridge that connects Ronin to the Ethereum mainnet, making it possible to send funds and assets back and forth between them, as well as the Katana decentralized exchange (DEX) that runs on Ronin.

The company said further that all funds still on Ronin—whether in Axie Infinity’s AXS and SLP tokens, or Ronin’s own RON governance token—are currently safe. Sky Mavis discovered the breach after someone attempted to withdraw 5,000 ETH of their own funds from Ronin and found that they were unavailable via the bridge.

The Ronin bridge hack appears to be similar to that of Wormhole, a cross-chain Ethereum/Solana bridge that was attacked for $320 million worth of WETH in early February. Jump Crypto ultimately replenished the stolen funds, apparently as a bet on the future of the Solana ecosystem.

Editor’s note: This story was updated to include comments from Axie Infinity co-founder Jeff Zirlin at the NFT LA conference.

The best of Decrypt straight to your inbox.

Get the top stories curated daily, weekly roundups & deep dives straight to your inbox.

Source: https://decrypt.co/96322/hacker-622-million-axie-infinity-ronin-ethereum