Ronin Network, the Ethereum sidechain of the popular NFT game Axie Infinity, suffered a loss of $625 million, making it one of the largest hacks in cryptocurrency history.
There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP
— Ronin (@Ronin_Network) March 29, 2022
An official blog post issued Tuesday saw Axie Infinity operator Sky Mavis revealing the post-mortem of the hack. 173,600 Ethereum and 25.5 million USDC were stolen during the high profile exploit, which roughly totals $625 million in US Dollars at press time.
The exploit occurred on March 23 but was discovered yesterday by the team when a user attempted to withdraw 5,000 ETH from the bridge but failed. “ETH and USDC deposits on Ronin have been drained from the bridge contract,” the blog post explained. “As of right now users are unable to withdraw or deposit funds to Ronin Network.”
Elaborating on the post-mortem, Sky Mavis detailed that five of the Ronin network’s nine validator nodes were hacked out of their signatures in order to withdraw funds without being noticed. Sky Mavis explained the loophole through which the hacker was able to gain access to validator nodes:
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
Presently, most of the funds remain in the hacker’s Ethereum address except for 6,250 ETH which were later transferred to some other addresses. In addition, USDC funds worth $25.5 million have been transferred out as well. Some of the crypto sleuths on Twitter, including security researcher Igor Igamberdiev, pointed out that the attacker has used major exchanges FTX and Crypto.com to transfer funds.
— Igor Igamberdiev (@FrankResearcher) March 29, 2022
Axie Infinity’s native tokens AXS and SLP remained unaffected during the hack. However, Sky Mavis has temporarily paused the Ronin Bridge to prevent any further onslaught. The development team is currently working with law enforcement officials, forensic cryptographers, and investors as it seeks to reimburse the losses.