Crypto thieves steal adorable digital animal game for over $617 million

infinite axis looks like a cross between a Tamagotchi and Pokémon, a “digital pet universe where players fight, breed and trade fantasy creatures called Axies”, creatures that are NFTs. A February 2022 article by decrypt.co described it as “the play-to-win NFT game that is taking cryptocurrencies by storm”, but in a shocking development, the game has now been hacked, worth over $600 million – making it one of the biggest cryptocurrency heists of all time. all the time.

Axie uses Ronin, a “sidechain” designed specifically for gaming that allows users to access the Ethereum blockchain without paying many of the standard transaction fees. A side chain, as defined by HackerNoonis “a separate blockchain that is attached to its parent blockchain using a bidirectional pin [that] enables the interchangeability of assets at a predetermined rate between the parent blockchain and the sidechain.”

In simpler terms, this means that Axie Infinity players must have both a Ronin wallet and an Ethereum wallet: the cryptocurrency from the Ethereum wallet is transferred to the Ronin wallet via the Ronin bridge, at which point it can be used to buy Axies, the small game wallet. creatures. in the game stream alpha state, Axes can be crafted, crafted, trained, and forced to fight each other for your amusement. Of course, they can also be bought and sold on the blockchain.

It’s complicated and honestly most of the process goes through my head, but what’s important isn’t what it does, but what was done with it: As reported in a Ronin bulletin update, the Ronin bridge was “explored” by 173,600 Ethereum and 25.5M USDC, which at the moment converts to more than $617M.

View more

Ronin’s post explains that Axie developer Sky Mavis has nine “validator nodes” on the Ronin network, five of which are required to verify and approve deposits and withdrawals – like a digital majority vote that automates the process to keep the things happening at a reasonable pace. The system is decentralized to protect against attacks like this, but the attacker was nevertheless able to gain control of the four Sky Mavis validators and a third-party validator – enough to forge the withdrawals.

Ironically (but not surprisingly), it appears that this heist was triggered, at least in part, by human error. The report says that in November 2021, Sky Mavis requested help from Axie DAO (Decentralized Autonomous Organization) to help it distribute free transactions to Axie Infinity players because it could not manage user load on its own. Axie DAO “allowed” Sky Mavis to allow transactions, but when the deal ended a month later, no one revoked access to the whitelist.

Oops.

The good news in this regard is that most of the stolen money is still in the hacker’s hands. Wallet, which will presumably facilitate recovery and that all cryptocurrencies still on Ronin are safe, though also inaccessible. Sky Mavis said it had contacted security teams on “major exchanges” and temporarily shut down the Ronin bridge to prevent further attacks. The activity will be reactivated “at a later date, once we are sure that no funds can be drained”.

The breach took place on March 23, but was not discovered until March 29, when a user tried to withdraw 5,000 ETH from the bridge and failed. That’s not a huge testament to the network’s security, a point that Sky Mavis seemed to acknowledge in its message.

“As we have witnessed, Ronin is not immune to exploitation and this attack reinforced the importance of prioritizing security, remaining vigilant and mitigating all threats,” he wrote. “We know trust needs to be earned and we are using every resource at our disposal to implement the most sophisticated security measures and processes to prevent future attacks.

“The ETH and USDC deposits in Ronin have been drained from the bridge contract. We are working with law enforcement, forensic cryptographers and our investors to ensure there is no loss of user funds. This is our top priority right now.”

Sky Mavis also committed to ensuring that “all funds drained are recovered or refunded”.

Cryptocurrency values ​​fluctuate wildly – ​​you can see a year of Ethereum ups and downs in the chart below – but now the real money value of the heist trumps the $610 million worth of crypto work which took place in August 2021, described at the time as “the biggest DeFi (decentralized finance) heist of all time”.

One year at ETH:

(Image credit: Yahoo!)

Leave a Comment