Axie Infinity Related Blockchain Ronin Network Hacked For $540 Million

On Tuesday, the Ronin network, which powers the play-to-earn game Axie Infinity, publicly reported a major security breach.

LONDON, March 29 (Reuters) - Blockchain project Ronin said on Tuesday that hackers stole cryptocurrency now worth almost $615 million from its systems, in what would be one of the largest cryptocurrency heists on record.

The project said that unidentified hackers on March 23 stole some 173,600 ether tokens and 25.5 million USD Coin tokens. At current exchange rates, the stolen funds are worth $615 million, but they were worth some $540 million at the time of the attack.

This makes it the second-largest crypto theft on record, according to blockchain analysis firm Elliptic.

Ronin is used to power the popular online game Axie Infinity, which uses non-fungible tokens (NFTs) and is the biggest NFT collection by all-time sales volume, according to NFT market tracker CryptoSlam.

Ronin said in a blog post that the hacker had used stolen private keys - the passwords needed to access crypto funds - to make off with the funds.

A lot of reporting is using the higher number over $600 million, but I will use the valuation on the day of the hack. According to Axie Infinity publisher Sky Mavis Ltd., the funds are still in the hacker's crypto-wallet. The publisher also stated the hack occurred due to social engineering, not a technical flaw in the Ronin network. But reading a blogpost from Ronin leaves me wondering exactly the social engineering involved. To me, a little bit of human error was involved, leaving an attack vector open to potential hackers. For those interested in the technical details, the blogpost included details of the attack.

Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. 

The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.  

This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. 

Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. 

We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators.

The blogpost detailed 6 steps the company took as a result of the security breach.

1. We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight.
2. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. 
3. We are in the process of migrating our nodes, which is completely separated from our old infrastructure.
4. We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained. 
5. We have temporarily disabled Katana DEX to due to the inability to arbitrage and deposit more funds to Ronin Network. 
6. We are working with Chainalysis to monitor the stolen funds.

The Washington Post reported that the breach was noticed days before Ronin became aware of the hack. 

Since tokens fluctuate in value, breaches can have an effect on trading. The crypto community on Tuesday was abuzz about the action of “Cobie,” an enigmatic crypto figure (real name: Jordan Fish). He generated an intense back and forth on Twitter when he said he had taken short positions on a large number of NFTs from the game last week because he perceived security flaws.

I noticed that Axie bridge was exploited for $600m 6 days ago, so I shorted AXS with high leverage

I was early. I executed quickly, like the expert traders taught me

Within 24 hours I was liquidated because nobody else noticed the hack for 6 days and the price pumped instead 🙌

— Cobie (@cobie) March 29, 2022

Since The Nosy Gamer is a blog dedicated to video games, I should at least mention a little about a game I have only recently heard of. The Wall Street Journal gave a description.

“Axie Infinity,” launched in 2018, is part of a small but fast-growing number of so-called play-to-earn games. Also known as blockchain games, they largely center on the buying, trading and selling of virtual assets backed by nonfungible tokens, or NFTs. The games are considered an early foray into the metaverse, a more immersive future version of the internet where people are expected to work, learn and be entertained.

“Axie Infinity” had more than 1.7 million daily users in February, according to Sky Mavis. In it players collect digital pets called Axies that they use to compete in battles. They can sell and trade the creatures for digital currency. Some Axies are worth more than others.

Finally, since I haven't written any posts explaining what NFTs and play-to-games are, I'll conclude this post with a video put together by the Wall Street Journal. Enjoy!