In one of the biggest crypto heists of all time, hackers stole $625 million from Ronin Network, the blockchain used in the popular play-to-earn crypto game Axie Infinity.
Sky Mavis, the operator of Ronin and Axie Infinity revealed in its Ronin blockchain newsletter Tuesday that hackers had absconded with 173,600 ethers and 25.5 million USD Coin. The heist occurred March 23 and the actors are yet to be identified.
The attack was discovered almost a week after the digital burglary on March 29 when a user found he could not withdraw 5,000 Ethereum.
Are You Compromised?
Sky Mavis said in the newsletter that “axie” NFT tokens players must buy to access Axie Infinity haven’t been compromised, nor have the SLP and AXS in-game cryptocurrencies used in battling and breeding the pokémon-like cartoon axolotls.
However, the game developer has frozen withdrawals and deposits, effectively locking out new players from the game, and leaving current players concerned for the security of their crypto wallets.
So, how does one remove digital currency from a blockchain?
Cracks in the System
The attacker used hacked private keys in order to forge fake withdrawals, Ronin Network wrote in its newsletter post.
Sky Mavis’ Ronin blockchain has nine validator nodes, and in order to make a deposit or withdrawal, signatures from at least five out of the nine are required. The attacker succeeded in acquiring four of Ronin’s own validators and another third-party “Axie DAO” validator.
Most of the hacked funds are still in the hacker’s wallet, Ronin Network said, adding that it is working with law enforcement officials, forensic cryptographers, and its investors to make sure all funds are recovered or reimbursed, according to Fortune India.
How Safe is Ronin Compared to Other Blockchains?
Validator nodes, like the ones used by Ronin, are a feature of proof-of-stake blockchains, rather than proof-of-work systems like Bitcoin.
The nodes review new transactions to confirm that their inputs and outputs match and that authorization signatures are valid, rejecting any transactions that don’t conform. Proof-of-stake blockchains are less energy-intensive, but are also more susceptible to attack than proof-of-work systems.
Sky Mavis used a shortcut in its blockchain when Axie Infinity experienced a huge influx of users from the Philippines in November. The system was discontinued in December, but the permissions that allowed it were never revoked.
Ronin will require eight validator nodes in the future due to the attack, but for now, the blockchain could still be compromised.
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company said in its announcement. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.