Axie Infinity hack results in $600m cryptocurrency heist
Hackers stole more than $600 million in cryptocurrency from Sky Mavis, developers of the popular NFT-based video game Axie Infinity.
The attack occurred on March 23, according to a post published by the developer on Tuesday, when a threat actor breached the Ronin Bridge, which is used to support the exchange and interoperability of different cryptocurrencies from different blockchains. Specifically, the threat actor compromised a series of validation nodes connected to Sky Mavis and their non-fungible token (NFT) game, Axie Infinity.
Sky Mavis, who developed the Ronin Network sidechain, said in the post that hackers stole 173,600 Ethereum and 25.5 million in USD Coin, a coin that maintains the value of the US dollar, totaling approximately $620 million. The cryptocurrency was drained in two transactions, which occurred when “the attacker used hacked private keys to forge fake withdrawals.”
Sky Mavis said the Ronin chain includes nine validator nodes, which are used to verify deposits and withdrawals. Five node signatures are required to verify a transaction, and the actor obtained said signatures by gaining control of four of Sky Mavis’s validator nodes and a third party operated by Axie Infinity’s Decentralized Autonomous Organization (DAO).
The Axie Infinity sidechain hack happened when an attacker “found a backdoor through our gasless RPC [remote procedure call] node” and used it to access the Axie DAO validator. This, as the post explained, was not supposed to be possible.
“This traces back to November 2021 when Sky Mavis requested the help of Axie DAO to distribute free transactions due to a huge user load,” the post said. “Axie DAO authorized Sky Mavis to sign various transactions on their behalf. This was discontinued in December 2021, but the approval list was not revoked.”
Sky Mavis said that “the signature in the malicious withdrawals matches the five suspected validators.”
It is unclear how attackers obtained the private keys, or whether the backdoor in question was placed by threat actors or created by design for the company. Sky Mavis did not respond to SearchSecurity’s request for comment.
The developer said that going forward, it has prevented future attacks in part by raising the validator threshold from five nodes to eight.
Sky Mavis “is also working with law enforcement, forensic cryptographers and our investors to ensure all funds are recovered or refunded.” The company disclosed the Ethereum wallet address of the threat actor, who held approximately $595 million at press time.
In addition, Sky Mavis said it has “temporarily paused” the Ronin bridge to ensure no other attack vectors are open while the developer investigates the sidechain hack.
Axie Infinity, Sky Mavis’ tentpole game, is part of a new category of NFT video games. Players collect and mint NFTs represented in-game as digital pets that can be used in battle against other pets, or “Axiers”. Players pay initial costs to play, but can earn – and withdraw – cryptocurrency as an in-game currency through gameplay.
Cryptocurrency cyber attacks have been on the rise in recent months. Last month, for example, cryptocurrency platform Wormhole reported that a threat actor stole a bunch of wrapped Ethereum worth hundreds of millions of dollars.
Alexander Culafi is a writer, journalist and podcaster based in Boston.