Oh no! Anyway…
Chances are, if you’re like most people, you had no idea Axie Infinity existed. The game is known for its marketplace, which utilizes blockchain technology, which buzzword buzzword buzzword. Anyway, they just got a good $600 million stolen from it. Gaming blockchain Ronin Network announced the theft earlier today.
There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge.
Basically, the network utilizes 9 different “nodes” to secure transactions and allow the usage of player’s NFT’s between games (the main selling point for Axie Infinity‘s system). In November last year, Ronin gave Axie Infinity devs Sky Mavis the ability to sign transactions on its own.
This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.
Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.
Ronin has locked down accounts as the investigation continues. Which is a problem if you’ve invested in RON, Ronin’s native Etherium-based token. Especially as the token has dropped in value by over 25%.
Source: Kotaku