Ronin, the blockchain behind the game ‘Axie Infinity’, one of the most popular of NFTs, has been the victim of a hack in which the equivalent of 625 million dollars have been stolen in cryptocurrencies.
According to the developer Sky Mavis, the attack occurred on March 23, but had not been discovered until today, since a user could not withdraw 5,000 ETH from the Ronin bridge. To achieve the attack they used “hacked private keys“, taking advantage a vulnerability in the service, falsifying the transactions and stealing the fundssimilar to the Wormhole attack in early February.
From the total attack, they obtained 173,600 Ethereum (equivalent to about 600 million dollars) and $25.5 million in USDC (a dollar-pegged stablecoin) from the Ronin bridge in two separate transactions, where Sky Mavis’s and Axie DAO’s Ronin validating nodes were compromised.
As detailed by Ronin, the Sky Mavis chain consists of nine validation nodes, and five of the nine signatures are required to acknowledge a deposit or withdrawal of the validator. The attacker was able to control four of Sky Mavis and one more of Axie DAO.
They also point out that despite the fact that the system is configured to limit such an attack, the person responsible managed to find a backdoor to get the extra signature necessary to validate the transaction.
This is how they are acting to solve it
As a result of the vulnerability, Ronin mentions that they are taking active measures to protect against future attacks, increasing the threshold of validators from five to eight. They will also be contacting the security teams of the exchanges and migrating their nodes to a new infrastructure.
Additionally, between the stockings, the Ronin bridge was temporarily stopped to prevent further attack vectors and Binance disabled its bridge to/from Ronin, which will open again once they are sure no funds can be drained.
Finally Ronin has stated that they are working with Chainalysis, with the intention of monitoring the stolen funds and is collaborating with government agencies, as well as with forensic cryptographers and investors to ensure that the guilty are brought to justice.
The company also reported that the axie tokens that players buy to access the game, have not been compromised, nor the SLP and AXS cryptocurrencies that are used to fight and breed pets, but for now cannot be withdrawn or deposited resources in the Ronin Network and all funds that are depleted will be recovered or refunded.
Images: Axie Infinity