MANILA, Philippines – Sky Mavis on Wednesday, March 30, announced that its Ronin blockchain, on which the game Axie Infinity runs, has been hacked. The currently unknown actors made off with 173,600 Ethereum and 25.5 million USDC – a stablecoin or a cryptocurrency pegged to fiat money, the US dollar in this case. Sky Mavis made the announcement on its Ronin blockchain newsletter.
Current conversion rates for the stolen cryptocurrencies amount to about $625 million, which cryptocurrency site Coindesk notes, “may be the largest yet” as far as blockchain hacks go.
The hack occurred on March 23, but was only discovered on Tuesday, March 29, after one of its users was unable to withdraw 5,000 Ethereum. “The attacker used hacked private keys in order to forge fake withdrawals,” Sky Mavis said.
The attacker was able to get control of enough validator nodes or computers in a blockchain network that verify transactions in order to pilfer the money. Sky Mavis’ Ronin blockchain has nine validator nodes, and in order to make a deposit or withdrawal, signatures from at least five out of the nine are required. The attacker managed to get control of five validators, specifically four of its own validators and another third-party “Axie DAO” validator.
The validator nodes are set up in a decentralized fashion, a setup that theoretically would prevent actors from taking control of a singular system through which transactions go through. Sky Mavis explained that the attacker was able to find a backdoor through the network’s “gas-free RPC node.”
An RPC node or Remote Procedure Call node facilitates the connection between a decentralized app, Axie Infinity for example, and the Ronin blockchain. This RPC node was “abused to get the signature for the Axie DAO validator.” Sky Mavis noted that the node is “gas-free” referring to the “gas fees” that occur whenever a transaction is made on the blockchain as payment for the verification work being done by validator nodes.
Sky Mavis said that the third-party validator by Axie DAO was used back in November 2021 to help with transactions “due to an immense user load” which was discontinued in December 2021. However, the third-party validator’s access was not revoked. This left the door open for the attackers to get the signature from the Axie DAO third-party validator through the aforementioned RPC node backdoor.
Sky Mavis has temporarily paused Ronin Bridge, the transaction bridge connecting the Ronin blockchain to the Ethereum blockchain, “to ensure no further attack vectors remain open.” The Ronin blockchain is what’s actually called a “sidechain” which is a blockchain with its own set of rules and protocols that is connected to a larger, primary blockchain network, which in this case is the Ethereum blockchain.
“The bridge will be opened up at a later date once we are certain no funds can be drained,” Sky Mavis said.
“We are working directly with various government agencies to ensure the criminals get brought to justice. We are in the process of discussing with Axie Infinity/Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost.”
The hacker’s Ethereum wallet can be found here, which curiously has 175,913 Ethereum – about two thousand more than the announced funds stolen – at the time of this story’s publication. It’s unclear whether the wallet already had Ethereum before the theft occurred.
While blockchain systems are regularly lauded for being secure automated platforms for transactions, incidents like these indicate that there may indeed be vulnerabilities.
Sky Mavis said, regarding the question on the safety of the Ronin blockchain:
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”
Axie players may currently be unable to transfer crypto as Sky Mavis continues to address the massive breach. “As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed.” – Rappler.com