On Tuesday, Axie Infinity, which is recognized as the largest non-fungible token (NFT) blockchain game, had its Ronin network validators compromised in an attack. The company running the Axie Infinity project, Sky Mavis, elaborated that the validators had been compromised on March 23rd. There were two transactions conducted for draining the funds and the attack was discovered by the company after complaint from a user. As per the user, they were not able to use the Ronin bridge for withdrawing 5,000 ether. As per the statement of Sky Mavis, hacked private keys were used by the attacker for forging fake withdrawals.
They said that the Katana Dex and Ronin bridge had been halted and they were working with forensic cryptographers, law enforcement officials and the investors for ensuring that all funds are reimbursed and recovered. Sky Mavis said that they were ensuring the safety of all the SLP, RON and AXS on Ronin. The team further disclosed that nine validator nodes are used for running Ronin by the project and five out of nine are required to make a deposit or a withdrawal, or else the transaction won’t be processed. Sky Mavis said that the attacker was able to get control of four of the Ronin validators and used a third-party validator that is operated by Axie DAO.
To limit the possibility of an attack vector like this one, they have opted to use a decentralized validator key scheme. However, the attacker was able to use the company’s gas-free RPC node in order to find a backdoor and they took advantage of it for getting the signature for the third-party validator. Sky Mavis went on to say that what made this worse was the fact that a change, which had been made back in November 2021, was used by the attacker. That’s when the ‘Axie DAO allowlisted’ scheme had been discontinued in the next month.
However, the team stated that the ‘allowlist access’ hadn’t been revoked and once the attacker was able to get access to their systems, Sky Mavis stated that they were able to use the gas-free RPC for getting the signature from the Axie DAO validator. In their post-mortem, the company said that the signature used in the malicious withdrawals matched the five suspected validators. This attack marks one of the largest hacks to have occurred this year of a crypto protocol. It is far greater than the attack on the Wormhole bridge. That attack had resulted in losses worth $320 billion.
Jump Crypto had chosen to replace the funds. On Tuesday, Sky Mavis explained that their team was working with law enforcement for bringing the criminals to justice. Furthermore, it said that they were talking with the stakeholders and discussing ways for compensating the users. The team said that the company is it in for the long-term and would continue to build. The losses from the attack are valued at $620 million and are the biggest hack so far in 2022 to have occurred.