More than $600 million in cryptocurrency stolen from NFT game Axie Infinity

A new record in the field of cryptocurrency robberies was set by unknown hackers who stole more than $600 million (173,600 ETH) from the NFT game Axie Infinity. The company claims that the attack was the result of social engineering, and not some kind of vulnerability.

Axie Infinity is a decentralized game created by the Vietnamese studio Sky Mavis. The game allows users to breed, sell and collect digital pets, and its trading operations exceed one billion dollars a year. Previously, Axie Infinity has already become a real phenomenon in the Philippines, where thousands of users earn good money with it.

Back in February 2021, the Ronin blockchain allowed reduce expenses on interaction with Ethereum-based Axie Infinity. While any action on Ethereum requires a hefty fee, Ronin allows making 100 free transactions per day for each user.

The Ronin blog posted this week that the project was the victim of a cyberattack in which unknown persons, with the help of just two transactions, stole about 600 million US dollars: 173,600 ETH (worth about 591,242,019 dollars) and the USDC stablecoin (worth $25.5 million).

The developers say that the attack occurred on March 23, 2022, but it was discovered only now, when users noticed that they could not withdraw funds. The attack included compromising the Sky Mavis Ronin validator nodes and the Axie DAO validator nodes, after which the attacker was able to use the Ronin bridge for his own purposes.

For example, the Ronin sidechain has a total of nine different validation nodes, five of which must be enabled for any deposit or withdrawal. The attack compromised four Sky Mavis validators and one Axie DAO validator.

The attacker expoited compromised private keys to fake withdrawals. We only discovered the attack this morning after a user reported that they could not withdraw 5,000 ETH.the company explained.

The blog post states that the attackers discovered a backdoor in a gas-free RPC node operated by Sky Mavis, allowing it to take control of the Axie DAO node. The fact is that back in November 2021, the developers of Axie DAO allowed Sky Mavis to sign various transactions on their behalf in order to process a rapidly growing number of transactions. This practice was stopped already in December, but “access to the white list was not revoked.”

Currently, Sky Mavies has temporarily shut down the Ronin cross-chain bridge, as well as its associated decentralized exchange, Katana DEX. The developers assure that users have nothing to worry about, since RON and in-game SLP and AXS tokens are safe on the Ronin sidechain.

Law enforcement agencies, as well as experts from Chainalysis and Crowdstrike, are already investigating what happened. The company says that the stolen funds are “still in the hacker’s wallet“, although users have already noticed that the attacker withdrew part of the funds to the Binance exchange.

In the future, the developers promise to improve the security of their project, in particular, by increasing the number of nodes required for validation to eight out of nine, and then the number of validators in general.

As a reminder, we also reported that DDoS attacks on Ubisoft almost completely stopped after company threatens with a lawsuit, and that Hackers Influenced Valve’s Online Games Using Vulnerabilities in the Steam Platform.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button