Hackers Steal $620 Million From Axie Infinity’s Ethereum Sidechain Ronin

Bitdefender Download

Axie Infinity’s Ronin sidechain was hit by a cyberattack that inflicted losses of more than $600 million in crypto, developers disclosed yesterday.

Hackers leveraged an exploit against the blockchain network, which supports the popular play-to-earn (P2E) game Axie Infinity, on March 23 but developers only discovered the attack on March 29.

The perpetrators stole 173,600 ETH (roughly $590 million at the present time) and 25.5 million worth of the USDC stable coin by attacking Ronin validators. The devastating cyberattack compromised five out of nine validator nodes. Blockchain validators are network nodes in charge of maintaining the blockchain’s integrity by processing and validating transaction blocks.

“Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed,” a Ronin blog post explains. “The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.”

“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the post continues.

The team is taking steps to fend off future attacks and “increased the validator threshold from five to eight” to mitigate further short-term damage. Developers also said they’re migrating nodes to a separate infrastructure, temporarily paused the Ronin bridge and the Katana DEX (decentralized exchange), and are working with Chainalysis to monitor stolen funds.

According to Ronin’s blog post, most of the stolen funds are still in the hacker’s wallet. Ronin said it’s collaborating directly with various government agencies to bring the perpetrators to justice.