Axie Infinity

A hacker has stolen almost $620 million in Ethereum and USDC tokens from Axie Infinity’s Ronin network bridge, making it possibly the largest crypto hack in history.

Ronin is an Ethereum sidechain created by Sky Mavis to faciliate transactions for the Axie Infinity game, with the bridge acting as a way to transfer ERC-20 tokens between the Ethereum and Ronin blockchains.

Today, Sky Mavis disclosed that a threat actor hacked the Ronin bridge and stole 173,600 Ethereum and 25.5M USDC tokens in two transactions [1 and 2], worth $617 million at today’s prices.

While the Ronin sidechain uses 9 validator nodes to confirm transactions, the threat actor was able to gain controler over five of the validator signatures needed to withdraw cryptocurrency from the bridge.

“Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” explains an advisory from the Ronin network.

“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”

The attack occurred almost a week ago, on March 23rd, but Sky Mavis only learned about it today when a user tried to withdrwaw 5,000 Ethereum from the bridge and was unable to do so.

Most of the stolen cryptocurrency still resides in the attacker’s Ethereum address, though their has been some activity, with the attacker transfering ETH to various addresses and exchanges.

Attacker sending ETH to other addresses
Attacker sending ETH to other addresses

While Sky Mavis states that all AXS, RON, and SLP tokens on Ronin are secure, all of the Ethereum and USDC deposits have been stolen by the attacker.

Sky Mavis has also shut down the Ronin Bridge and the Katana Dex as they investigate the attack.

“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now,” explains Sky Mavis.

This attack is largest crypto hack in history, with the previous largest theft being $611 million stolen from Poly Network in August, 2021.

Source: www.bleepingcomputer.com