Hackers steal $620M in Ethereum and dollars from Axie Infinity maker Sky Mavis’ Ronin network

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn More

Sky Mavis reported that the Ronin Network which supports its Axie Infinity game has been hacked and thieves stole 173,600 in Ethereum cryptocurrency (worth $594.6 million) and $25.5 million in U.S. dollars, stealing a total of $620 million.

If Sky Mavis, the maker of the Axie Infinity blockchain game, can’t recover the funds, that’s a huge hit to its overall treasury and a black eye for blockchain-based security, as the whole point of putting the game on the blockchain — in this case a Layer 2 network dubbed the Ronin Network — is to enable better security.

The Ronin bridge and Katana Dex enabling transactions have been halted. For now, that means that players who have funds stored on the network can’t access their money right now. The stolen funds only represent a portion of the overall holdings of Sky Mavis and its Axie decentralized autonomous organization (DAO).

“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now,” said Sky Mavis in a statement.


GamesBeat Summit 2022

Re-experience the excitement of connecting with your community live at GamesBeat Summit’s in-person event on April 26 in Los Angeles, CA, and virtually April 27-28. 30+ sessions and 500+ attendees are set to arrive, so don’t want to miss this opportunity to expand your network. Early bird pricing ends March 25. Get your pass today!

Register Now

The hack will likely be considered one of the biggest hacks in cryptocurrency history, at least according to data from Comparitech.

The company said there was a security breach on the Ronin Network itself. Earlier today, the firm discovered that on March 23, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 ETH (valued at $594.6 million at the moment) and $25.5 million drained from the Ronin bridge in two transactions.

So far, the stolen cryptocurrency hasn’t been transferred from the account that did the attack, the company said.

The validator nodes are external entities that verify the information on the blockchain and compare notes with each other to ensure the blockchain’s information is accurate. Blockchain is (believed to be) a secure and transparent digital ledger, and Ethereum is one of the biggest networks based on the technology. Ethereum is both a blockchain protocol as well as the name of the cryptocurrency based on the protocol.

Sky Mavis uses the blockchain to verify the uniqueness of nonfungible tokens (NFTs), which can uniquely authenticate digital items such as the Axie creatures used in the Axie Infinity game. NFTs exploded in popularity last year and enabled Sky Mavis to raise $152 million at a $3 billion valuation in October. But blockchain games also a flashpoint in the industry now as critics say they are full of ponzi schemes, rug pulls, and other kinds of anti-consumer scams.

Ethereum has its drawbacks, as transactions on it are slow and consume a lot of energy, as it taps a lot of computers worldwide to do the verification work. To alleviate that, companies like Sky Mavis have created Layer 2 solutions such as the Ronin Network. That network can execute transactions far more quickly, inexpensively, and with smaller environmental impacts than doing transactions on Ethereum itself.

But this offchain processing comes at a risk, as Sky Mavis has just learned. Sky Mavis set up a network of computing nodes to validate transactions on its Ronin Network, but if hackers can gain 51% control of that network, then they can create fake transactions and steal funds stored on the network.

Sky Mavis said that the attacker used hacked private keys in order to forge fake withdrawals. Sky Mavis said it discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.

Details about the attack

Axie Infinity lets you convert game rewards to real money.

Sky Mavis’ Ronin chain currently consists of nine validator nodes. In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO.

The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through Sky Mavis’ gas-free RPC node, which the attacker used to get the signature for the Axie DAO validator.

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowed listed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked.

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC,” Sky Mavis said.

“We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators,” said Sky Mavis.

Actions taken

Axie Infinity
Axie Infinity has two million daily users.

Sky Mavis said it moved swiftly to address the incident once it became known and it is actively taking steps to guard against future attacks. To prevent further short-term damage, the company has increased the validator threshold from five to eight.

“We are in touch with security teams at major exchanges and will be reaching out to all in the coming days,” the company said. “We are in the process of migrating our nodes, which is completely separated from our old infrastructure.”

The company has also temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once the company is certain no more funds can be drained.

Sky Mavis has also temporarily disabled Katana DEX due to the inability to arbitrage and deposit more funds to Ronin Network. And it is working with Chainalysis to monitor the stolen funds, as transactions on the blockchain can be tracked.

Next steps

Axie Infinity
Axie Infinity has generated $2 billion in sales and resales.

The company said it is working directly with various government agencies to ensure the criminals get brought to justice.

“We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost,” the company said.

Originally, Sky Mavis chose the five out of nine threshold for validators as some nodes didn’t catch up with the chain, or were stuck in syncing state. Moving forward, the threshold will be eight out of nine. The company will be expanding the validator set over time, on an expedited timeline.

Most of the hacked funds are still in the alleged hacker’s wallet:


Sky Mavis is figuring out exactly how this happened.

“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks,” Sky Mavis said.

The company said that ETH and USDC deposits on Ronin have been drained from the bridge contract. Sky Mavis said it is working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. All of the AXS, RON, and SLP on Ronin are safe right now, the company said.

“As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed,” the company said.

Originally appeared on: TheSpuzz