Axie Infinity's Ethereum sidechain Ronin hit by $600 million exploit

Quick Take

  • Ronin, an Ethereum sidechain built to support the play-to-earn game Axie Infinity, has suffered an exploit, developers said Tuesday.
  • 173,600 ETH (worth roughly $590 million) and 25.5 million worth of the stablecoin USDC were lost. 

Ronin, the blockchain network tied to the popular play-to-earn game Axie Infinity, suffered an exploit last week resulting in the loss of more than $600 million worth of crypto.

In a blog post, developers said that the exploit – which took place on March 23 but was discovered earlier Tuesday – resulted in the loss of 173,600 ETH (worth roughly $590 million at current prices) and 25.5 million worth of the stablecoin USDC. Specifically, five out of nine validators on the Ronin network were attacked and controlled during the incident. Validators serve a number of purposes, including the creation of transaction blocks and the updating of data oracles.

As the team explained:

"Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO. The validator key scheme is set up to be decentralized so that it limits an attack vector such as this, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator. This traces back to November 2021 when the Axie DAO validator was allowlisted to distribute free transactions. This was discontinued in December 2021, but the Axie DAO validator IP was still on the allowlist."

"Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC," the post explained. Once those nodes were controlled, the attacker gained the ability to drain funds from the Ronin bridge. Bridges are software mechanisms for moving funds between blockchains.

Ronin was created by Sky Mavis, the developer of Axie Infinity. The blog post said that Sky Mavis "discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Per the post, the majority of the funds are being held in this Ethereum address. Etherscan has flagged the address as "reported to [be] involved in a hack targeting the Ronin bridge."

"We are working directly with various government agencies to ensure the criminals get brought to justice," the team said. "We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users' funds are lost."

This is a developing story and will be updated as more information becomes available. 

For more breaking stories like this, make sure to subscribe to The Block on Telegram.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.